Using an alternate principal for ssh
Carson Gaspar
carson at taltos.org
Tue May 31 15:35:02 EDT 2022
On 5/31/2022 12:16 PM, Jeffrey Hutzelman wrote:
> That code should not actually used on a properly-configured PAM-based
> system. Typical configuration for such systems should enable UsePAM and
> KbdInteractiveAuthentication and disable PasswordAuthentication and
> ChallengeResponseAuthentication. This causes all password verification to
> go through PAM. Then all you need is a PAM module that can be configured to
> behave as you desire. I believe Russ Allbery's pam_krb5 has all the knobs
> you need.
I agree about the sshd config options, but looking at the source code
for Russ's pam_krb5, I don't think it will work as-is without changing
the username provided by the client (see my previous post).
> For true Kerberos authentication (i.e. using Kerberos tickets, not a
> password), you can control which principals are allowed to log in as a user
> by means of the user's .k5login file.
Please, no - set up a localname mapping instead of trying to manage a
bajilion k5login files. I was so happy when MIT finally added the
k5login_directory option so I could move .k5login out of the home dir
and stop users from doing terrible things.
--
Carson
More information about the Kerberos
mailing list