Does the development team have recommendation on pam_krb5?
gmachin at sandia.gov
Fri Feb 13 13:46:50 EST 2009
Nalin thanks for the feedback. I did not know if they had been derived
from the same initial code base.
> Mapping from user names to principal names is configurable using regular expressions.
The problem with a regular expression is that there must be a
reproducible pattern for all users.
If I manage 2 realms where jdoe at realma is jdoe at realmb regular
expressions works well, but if realmb can assign arbitrary names with no
pattern the only thing you can use is a database or directory where the
user's realmb principal name is defined.
Thats why utilizing the .k5login information to determine the users
"Kerberos realm(s)" identity for authentication is important. In order
for OpenSSH to use gssapi-with-mic you already have to have that mapping
information in the .k5login file.
So if regular expressions won't work I'm really left with the .k5login
unless we can use a plugin-in for krb5_aname_to_localname() which can
use the same directory service that is being used by nsswitch (nss_ldap,
winbind). I personally don't like .k5login since its user definable
and reminds me of the .rhosts file.
Nalin Dahyabhai wrote:
> On Fri, Feb 13, 2009 at 10:17:44AM -0700, Glenn Machin wrote:
>> From what I can tell there are 2 sources for pam_krb5.
>> It is my understanding that Fedora/RedHat uses 2.2/2.3 version while
>> Solaris 10, Ubunto/Debian use 3.X version maintained by Russ Allbery.
>> From what I can tell they are divergent code branches.
> I don't think Russ's is derived from the one we use, which started its
> life as a rewrite of the one that preceded it. Based on its man page, I
> doubt Sun's is related to either.
> Preauth settings are settable in 2.2.19 and later. Mapping from user
> names to principal names is configurable using regular expressions.
More information about the krbdev