libapache2-mod-auth-kerb and cross-realm
Simo Sorce
simo at redhat.com
Thu Aug 14 17:59:49 EDT 2014
On Thu, 2014-08-14 at 20:47 +0000, Jaap Winius wrote:
> On Thu, 14 Aug 2014 09:56:35 -0400, Simo Sorce wrote:
>
> > Keep in mind that this will make foo at MYREALM.COM and foo at EXAMPLE.COM
> > effectively the same user...
>
> Yes, a nuance that did not escape me. In fact, I imagined that it was for
> security reasons that auth_to_local could only be applied to members of
> the default realm. This meant Greg's solution and explanation was all the
> more surprising to me.
>
> > .. for all applications (including Apache and SSH).
>
> Like I said in my last post, I was worried about that too, but for SSH at
> least it appears not to be a problem: I can use it to connect to the same
> host, run klist and see that I still have a MYREALM.COM tgt. OpenAFS
> doesn't care either. However, I haven't yet tested this with all of the
> other services.
What you observe is expected when you use PAM authentication in OpenSSH
(ie you enter username/password at the prompt), however should you use
GSSAPI authentication instead then both foo at MYREALM.COM and
foo at EXAMPLE.COM would be logged in as 'foo'.
> > If you do not want that what you can do is to change the first line to
> > something like:
> > auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/^\(.*\)@MYREALM.COM$/
> myrealm-\1/
>
> An excellent idea! However, your syntax here is a bit buggy. The
> parentheses in the first half of the substitution string should not be
> escaped, while the '\1' in the replacement doesn't work; it gets
> translated literally, just as $1 is. (Why doesn't it work?)
>
> > or:
> > auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$/
> @myrealm.com/
>
> This works in principle, but an entry shows up in the Apache error log if
> the resulting string has more than 14 characters (even if a string to
> match it exists in the 'require user' list):
>
> krb5_aname_to_localname() failed: Insufficient space to return complete
> information
Sounds like a bug in your mod_auth_kerb module, in Fedora/RHEL I see a
patch to deal with that set the max length to 255
> So I've came up with this slight modification of your second method:
>
> RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$/-m/
>
> This gives 'foo at MYREALM.COM => foo-m' and will work for users with login
> names that have up to 12 characters.
as long as it works for you :-)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list