Authenticate as user/instance

Carson Gaspar carson at taltos.org
Tue Mar 13 02:34:56 EDT 2012


[ Trimmed and de-top-posted ]

On 3/12/12 6:58 PM, John Devitofranceschi wrote:
> On Mar 12, 2012, at 12:24, Tiago Elvas<tiagoelvas at gmail.com>  wrote:
>
>> I would like to configure my machine so that when I login as user
>> "operator" I get a credential as operator/instance, where instance
>> should be the hostname.
>>
>> The idea is that if I login as "operator" in both machines I get
>> different tickets. I thought that the instance should be the
>> hostname but I haven't yet found information on how to configure
>> this:
>>
>> - machine1.mydomain.com: ticket as operator/machine1.mydomain.com -
>> machine2.mydomain.com: ticket as operator/machine2.mydomain.com
>>
>> Any thoughts?
 >
> I think you're not going to be able to do this without a local
> keytab.
>
> Keep your local keytabs in a consistent place, like
> /var/spool/keytabs/LOGINNAME and then, when you log in as LOGINNAME
> make certain that KRB5_KTNAME is set to the right keytab in the
> user's .profile or the system .profile and, if it exists, run "kinit
> -k".

It can be done, but it requires:
- all of the account/FQDN at REALM principals exist, and all have the same 
passphrase (unless you have different passwords for "operator" on 
different machines)
- Something in the PAM stack does the principal transmogrification - a 
patched pam_krb5 would be fairly easy to produce

Of course if they all have the same passphrase, anyone with the operator 
password could kinit as any of them. What are you trying to accomplish 
with this scheme?

-- 
Carson


More information about the Kerberos mailing list