Authenticate as user/instance

Tiago Elvas tiagoelvas at gmail.com
Tue Mar 13 14:46:38 EDT 2012


On Tue, Mar 13, 2012 at 6:45 PM, John Devitofranceschi <jdvf at optonline.net>
 wrote:

> How is 'operator' going to authenticate?
>
> Will it have its own password and principal? Or will users be mapped to it
> via operator's .k5login or by using auth_to_local statements in krb5.conf?
>
> jd


The operator will login to the machine using the "normal" Linux
authentication screen.

I managed to successfully have tickets as user/fqdn by creating keytabs for
that user and including "kinit -k -t <persistent keytab path>" in its
profile.
However, this solution makes me have to manually create a keytab file for
each user in each machine, which I believe must not be a "good practice".
Or should it be?

With some modified pam module it can probably be done I guess.
I must confess I am no expert at all handling pam configuration...

On Tue, Mar 13, 2012 at 7:20 PM, Greg Hudson <ghudson at mit.edu> wrote:

> On 03/13/2012 01:45 PM, John Devitofranceschi wrote:
> > How is 'operator' going to authenticate?
>
> The most workable interpretation of the request is that operator's
> password will be the Kerberos password of operator/fqdn, which will be
> different for each host.
>
> It looks like this may be possible with Russ's pam_krb5 using the
> alt_auth_map or search_k5login directives.
>


More information about the Kerberos mailing list