Authenticate as user/instance
Carson Gaspar
carson at taltos.org
Tue Mar 13 02:34:56 EDT 2012
[ Trimmed and de-top-posted ]
On 3/12/12 6:58 PM, John Devitofranceschi wrote:
> On Mar 12, 2012, at 12:24, Tiago Elvas<tiagoelvas at gmail.com> wrote:
>
>> I would like to configure my machine so that when I login as user
>> "operator" I get a credential as operator/instance, where instance
>> should be the hostname.
>>
>> The idea is that if I login as "operator" in both machines I get
>> different tickets. I thought that the instance should be the
>> hostname but I haven't yet found information on how to configure
>> this:
>>
>> - machine1.mydomain.com: ticket as operator/machine1.mydomain.com -
>> machine2.mydomain.com: ticket as operator/machine2.mydomain.com
>>
>> Any thoughts?
>
> I think you're not going to be able to do this without a local
> keytab.
>
> Keep your local keytabs in a consistent place, like
> /var/spool/keytabs/LOGINNAME and then, when you log in as LOGINNAME
> make certain that KRB5_KTNAME is set to the right keytab in the
> user's .profile or the system .profile and, if it exists, run "kinit
> -k".
It can be done, but it requires:
- all of the account/FQDN at REALM principals exist, and all have the same
passphrase (unless you have different passwords for "operator" on
different machines)
- Something in the PAM stack does the principal transmogrification - a
patched pam_krb5 would be fairly easy to produce
Of course if they all have the same passphrase, anyone with the operator
password could kinit as any of them. What are you trying to accomplish
with this scheme?
--
Carson
More information about the Kerberos
mailing list