Does the development team have recommendation on pam_krb5?

Glenn Machin gmachin at
Fri Feb 13 13:46:50 EST 2009

Nalin thanks for the feedback.  I did not know if they had been derived 
from the same initial code base.

> Mapping from user names to principal names is configurable using regular expressions.

The problem with a regular expression is that there must be a 
reproducible pattern for all users.

If I manage 2 realms where jdoe at realma is jdoe at realmb  regular 
expressions works well, but if realmb can assign arbitrary names with no 
pattern the only thing you can use  is a database or directory where the 
user's realmb principal name is defined.

Thats why  utilizing the .k5login information to determine the users 
"Kerberos realm(s)" identity for authentication is important.   In order 
for OpenSSH to use gssapi-with-mic you already have to have that mapping 
information in the .k5login file.  

So if regular expressions won't work I'm really left with the .k5login 
unless we can use a  plugin-in for krb5_aname_to_localname() which can 
use the same directory service that is being used by nsswitch (nss_ldap, 
winbind).   I personally don't like .k5login since its user definable 
and  reminds me of the .rhosts file.

Thanks again......


Nalin Dahyabhai wrote:
> On Fri, Feb 13, 2009 at 10:17:44AM -0700, Glenn Machin wrote:
>>  From what I can tell there are 2 sources for pam_krb5.
>> It is my understanding that Fedora/RedHat uses 2.2/2.3 version while 
>> Solaris 10, Ubunto/Debian use 3.X version maintained by Russ Allbery.   
>> From what I can tell they are divergent code branches.  
> I don't think Russ's is derived from the one we use, which started its
> life as a rewrite of the one that preceded it.  Based on its man page, I
> doubt Sun's is related to either.
> Preauth settings are settable in 2.2.19 and later.  Mapping from user
> names to principal names is configurable using regular expressions.
> Cheers,
> Nalin

More information about the krbdev mailing list