Using an alternate principal for ssh

Greg Hudson ghudson at mit.edu
Tue May 31 15:08:13 EDT 2022


On 5/31/22 12:05, Dan Mahoney wrote:
> On most of our boxes, ssh is the ONLY kerberized app, but there's no provision in krb5.conf to say what the default principal based on a username is.  None of the PAM modules seem to be able to set it, either.  I conjured up an elaborate way to do this by forcing the .k5logindir to be something the users couldn't touch, and forcing a create for each user, but this doesn't help the password case.
> 
> Does anyone know of a simple way to accomplish this?  There are some clients, like mobile ones, where, VPN or no, kinit'ing is not an option.

The OpenSSH sshd code decides the principal name, not libkrb5.  Looking
at the OpenSSH auth-krb5.c, I don't think there's any configurability;
it picks a principal name of
authctxt->pw->pw_name (except on AIX), parses that, and calls
krb5_get_init_creds_password().


More information about the Kerberos mailing list