find the authorized principal

[Russ Allbery]

Ken Dreyer <ktdreyer at ktdreyer.com> writes:

> I have a local system account "git" on my server. In git's home
> directory, several usernames are present in ~/.k5login. These accounts
> can use GSSAPI to log in with SSH.

> I'm interested to keep closer tabs on who is logging into this
> account, and maybe doing something with the information using git
> hooks. I know that my server's authentication log will contain the
> username of the principal that authenticated to the git account:

>   Authorized to git, krb5 principal kdreyer at EXAMPLE.COM (krb5_kuserok)

> Is there any way for the git user account itself to find this
> information? I was hoping for an environment variable like $KRB5_USER
> or something.

Unfortunately, not directly.  What we do with our gitolite server is use
the following wrapper around the gitolite hooks to establish the user from
the gitolite perspective:

#!/usr/bin/perl -w
#
# gitolite-wrapper - wrapper file to hand gitolite a kerberos user
#
# Written by Jon Robertson <jonrober at stanford.edu>
# Copyright 2011 Board of Trustees, Leland Stanford Jr. University

use strict;

sub get_principal {
    my $klist = `/usr/bin/klist`;
    my $principal = '';
    foreach my $line (split (/[\r\n]+/, $klist)) {
        if ($line =~ /^Default principal: (.+)\@stanford\.edu$/) {
            $principal = $1;
            $principal =~ tr%/%_%;
        }
    }

    return $principal;
}

my $principal = get_principal;
die "$0: could not find principal name\n" unless $principal;
exec ('/usr/share/gitolite/gl-auth-command', $principal);

This doesn't really help with a regular account, though, and it requires
that you forward tickets, and is in general somewhat unsatisfactory.

I wonder if it would be worth adding an option to the pam-krb5 session
module to set an environment variable containing the authenticated
principal used to access the account.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>