Authenticate as user/instance
Nico Williams
nico at cryptonector.com
Tue Mar 13 14:45:58 EDT 2012
On Tue, Mar 13, 2012 at 4:50 AM, Tiago Elvas <tiagoelvas at gmail.com> wrote:
> Thanks for your reply.
> The idea is to have a domain of several machines where each one has its own
> dedicated purpose and not having a requirement to have unique user ids for
> the whole system.
There was a long thread on heimdal-discuss a while about about similar
concepts. There the user wanted to be able to manage remote
filesystem access controls for similar "accounts"on many clients but
as different entities.
I'm not at all sure what it is that you want to do. Perhaps you want
all these principal names for authorization purposes. But perhaps you
want them for simplifying key management. Or perhaps you just want
better auditing on the theory that the principal name tells you the
client hostname, assuming the principal's credentials are not being
used on the wrong host.
Are these operators humans interacting with computers? Or automated services?
> So that if the operator logs in in machine1(being machine1 a fqdn) he has
> the authentication as principal "operator/machine1" and then in ldap he has
> his own profile. If he logs in in machine2 he'll get a different ldap
> profile.
"then in ldap he has his own profile". Do you mean own user account?
If so it sounds like you want to use this idea for authorization
purposes. If so, and if you're intending to use normal Unix/LDAP user
accounts for authorization, then you'll probably need to read up on
the principal to username mapping functionality of MIT krb5.
> Probably as John Devitofranceschi, I could generate keytabs for each user
> and force the authentication with that key. But I do not want to perform a
> kinit each time I login. Unless I modify the .bashrc file to do that...
You can almost certainly coax Russ' pam-krb5 to do what you want,
either via existing features or if need be by hacking on it.
Nico
--
More information about the Kerberos
mailing list