Cross-realm authentication: Kerberos or SSH config ?
Jean-Christophe Gay
jean-christophe.gay at dauphine.fr
Mon Feb 27 03:33:15 EST 2012
> Did you add the line:
> myuser at EXAMPLE.COM
> to the .k5login file for myuser on ssh-serv.etud.example.com?
>
> The assumption is foreign principals are not allowed to login by
> default. i.e. a local user in one realm is not the same as a local
> user in another realm.
>
> Also see the auth_to_local options in the krb5.conf file.
>
I didn't and that fixed my problems. I also added the auth_to_local
option in the krb5.conf so I don't have to manually add a lot
of .k5login files in /home directories. My [realms] section now is like
this as I only want one way cros-realm authentication :
[realms]
ETUD.EXAMPLE.COM = {
[...]
default_domain = etud.example.com
auth_to_local = RULE:[1:$1@$0](.*@EXAMPLE\.COM)s/@.*//
auth_to_local = DEFAULT
}
DAUPHINE.FR = {
[...]
default_domain = example.com
}
Thanks,
Jean-Christophe
More information about the Kerberos
mailing list