Using an alternate principal for ssh

Carson Gaspar carson at taltos.org
Tue May 31 15:35:02 EDT 2022


On 5/31/2022 12:16 PM, Jeffrey Hutzelman wrote:
> That code should not actually used on a properly-configured PAM-based
> system. Typical configuration for such systems should enable UsePAM and
> KbdInteractiveAuthentication and disable PasswordAuthentication and
> ChallengeResponseAuthentication. This causes all password verification to
> go through PAM. Then all you need is a PAM module that can be configured to
> behave as you desire. I believe Russ Allbery's pam_krb5 has all the knobs
> you need.

I agree about the sshd config options, but looking at the source code 
for Russ's pam_krb5, I don't think it will work as-is without changing 
the username provided by the client (see my previous post).

> For true Kerberos authentication (i.e. using Kerberos tickets, not a
> password), you can control which principals are allowed to log in as a user
> by means of the user's .k5login file.

Please, no - set up a localname mapping instead of trying to manage a 
bajilion k5login files. I was so happy when MIT finally added the 
k5login_directory option so I could move .k5login out of the home dir 
and stop users from doing terrible things.

-- 

Carson




More information about the Kerberos mailing list