Using an alternate principal for ssh

Jeffrey Hutzelman jhutz at cmu.edu
Tue May 31 15:43:41 EDT 2022


On Tue, May 31, 2022 at 3:36 PM Carson Gaspar <carson at taltos.org> wrote:

> On 5/31/2022 12:16 PM, Jeffrey Hutzelman wrote:
> > That code should not actually used on a properly-configured PAM-based
> > system. Typical configuration for such systems should enable UsePAM and
> > KbdInteractiveAuthentication and disable PasswordAuthentication and
> > ChallengeResponseAuthentication. This causes all password verification to
> > go through PAM. Then all you need is a PAM module that can be configured
> to
> > behave as you desire. I believe Russ Allbery's pam_krb5 has all the knobs
> > you need.
>
> I agree about the sshd config options, but looking at the source code
> for Russ's pam_krb5, I don't think it will work as-is without changing
> the username provided by the client (see my previous post).
>

It will. You want something like
alt_auth_map=%s/ssh at REALM
only_alt_auth=true



> > For true Kerberos authentication (i.e. using Kerberos tickets, not a
> > password), you can control which principals are allowed to log in as a
> user
> > by means of the user's .k5login file.
>
> Please, no - set up a localname mapping instead of trying to manage a
> bajilion k5login files.


Yeah, a mapping is probably better for this application.


More information about the Kerberos mailing list