auth_to_local method for local user matching

[Greg Hudson]

On 08/21/2013 07:09 PM, Ben H wrote:
> Are you stating that ssh (the application) is likely presenting whatever
> an 'id -un'/whoami provides and that whatever it is presenting must
> equal our "match" ?

Looking at the OpenSSH server code, I think it presents whatever local
username the client asked for, without looking it up in the passwd database.

> In other words - krb5_kuserok isn't just looking up (via getpwnam()?) to
> confirm if it can find a user with that name, but the system has to
> return the user in a format that is equivalent to the match?

krb5_kuserok doesn't look up the local username in the passwd database
at all (well, except to find the .k5login file).  It just compares the
output of aname-to-lname mapping against the local username string it
was handed.

> 1) [1:$1] search for a domain name in the string and if none found,
> simply output $1 as the whole sting
> 2) [1:$0\$1] search for a domain name in the string, and if found,
> output as DOMAIN\$1
> 
> Whether or not the above *might* work is dependent on the rule
> processing order.  Do all rules get processed, or once one matches does
> it exit?

Once one rule matches, that's it.  aname-to-lname translation can only
yield one result.