Using an alternate principal for ssh
Dan Mahoney
danm at prime.gushi.org
Tue May 31 15:51:39 EDT 2022
> On May 31, 2022, at 3:35 PM, Carson Gaspar <carson at taltos.org> wrote:
>
> On 5/31/2022 12:16 PM, Jeffrey Hutzelman wrote:
>> That code should not actually used on a properly-configured PAM-based
>> system. Typical configuration for such systems should enable UsePAM and
>> KbdInteractiveAuthentication and disable PasswordAuthentication and
>> ChallengeResponseAuthentication. This causes all password verification to
>> go through PAM. Then all you need is a PAM module that can be configured to
>> behave as you desire. I believe Russ Allbery's pam_krb5 has all the knobs
>> you need.
>
> I agree about the sshd config options, but looking at the source code for Russ's pam_krb5, I don't think it will work as-is without changing the username provided by the client (see my previous post).
I had missed Russ' pam_krb5. I had looked at the stock FreeBSD one and the redhat one, which lack those options. This warrants building some VM's to mess around with.
>
>> For true Kerberos authentication (i.e. using Kerberos tickets, not a
>> password), you can control which principals are allowed to log in as a user
>> by means of the user's .k5login file.
>
> Please, no - set up a localname mapping instead of trying to manage a bajilion k5login files. I was so happy when MIT finally added the k5login_directory option so I could move .k5login out of the home dir and stop users from doing terrible things.
Our userbase is pretty small and systems are overall managed with puppet, so that's not a problem for us. We'd need to either disallow GSSAPI entirely, or accept that we need to manipulate a dir of k5login files outside the users' homedirs.
I'll take a directory of k5login files. As an organization we don't like pubkey auth because there's no easy central control over users. (i.e. pubkey completely sidesteps kerberos. If you have something like ldap deployed, that can help, but we don't like the idea of every system call like ls -al phoning an LDAP server.)
-Dan
More information about the Kerberos
mailing list