Using an alternate principal for ssh

Carson Gaspar carson at taltos.org
Tue May 31 16:02:57 EDT 2022


On 5/31/2022 12:43 PM, Jeffrey Hutzelman wrote:
>
> On Tue, May 31, 2022 at 3:36 PM Carson Gaspar <carson at taltos.org> wrote:
>
>     I agree about the sshd config options, but looking at the source code
>     for Russ's pam_krb5, I don't think it will work as-is without
>     changing
>     the username provided by the client (see my previous post).
>
>
> It will. You want something like
> alt_auth_map=%s/ssh at REALM
> only_alt_auth=true

Ah - I missed that as it takes a different code path that bypasses the 
normal user name mapping. Thanks for the correction!

-- 

Carson



More information about the Kerberos mailing list