Cross-realm authentication: Kerberos or SSH config ?

Jean-Christophe Gay jean-christophe.gay at dauphine.fr
Mon Feb 27 03:33:15 EST 2012


> Did you add the line:
> myuser at EXAMPLE.COM
> to the .k5login file for myuser on ssh-serv.etud.example.com?
> 
> The assumption is foreign principals are not allowed to login by
> default. i.e. a local user in one realm is not the same as a local
> user in another realm.
> 
> Also see the auth_to_local options in the krb5.conf file.
> 

I didn't and that fixed my problems. I also added the auth_to_local
option in the krb5.conf so I don't have to manually add a lot
of .k5login files in /home directories. My [realms] section now is like
this as I only want one way cros-realm authentication :

[realms]
	ETUD.EXAMPLE.COM = {
		[...]
		default_domain  = etud.example.com
		auth_to_local   = RULE:[1:$1@$0](.*@EXAMPLE\.COM)s/@.*//
		auth_to_local   = DEFAULT
	}
	DAUPHINE.FR = {
		[...]
		default_domain  = example.com
	}


Thanks,
Jean-Christophe


More information about the Kerberos mailing list