[32514] in Kerberos
Re: pam_krb5 questions
daemon@ATHENA.MIT.EDU (Techie)
Thu Jul 15 16:24:04 2010
MIME-Version: 1.0
In-Reply-To: <4C3F64D8.9050805@anl.gov>
Date: Thu, 15 Jul 2010 13:23:53 -0700
Message-ID: <AANLkTinHsWjc04Uxqot6gpr1BrOnTa3pAyfttZEfUYgR@mail.gmail.com>
From: Techie <techchavez@gmail.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Thu, Jul 15, 2010 at 12:43 PM, Douglas E. Engert <deengert@anl.gov> wrote:>>> On 7/15/2010 2:15 PM, Techie wrote:>> Hi,>>>> This question is actually regarding both the RHEL pam_krb5 and the>> Debian or Russ's pam_krb5. What I am trying to do is to have krb5>> principals login via ssh and authenticate to a local acount.>> so principal joejohnson@EXAMPLE.COM should be authenticated as local>> account joe on the local box. I should mention that the host does not>> have a keytab but I am simply trying to authenticate via ssh. I can>> authenticate perfectly if the principal matches the local account.>>>> Now I see that the krb5.conf allows for something like this.. But it>> does not work..Auth fails and I get an error that joe@EXAMPLE.COM is>> not found in the database. It is not mapping joejohnson@EXAMPLE.COM to>> joe...It's trying joe@EXAMPLE.COM which won't work. THis is true on>> RHEL and Debian.>>>> [REALMS]>> EXAMPLE.COM = {>> auth_to_local_names = {>> joejohnson = joe>> }>> }>>>> However, If I put this in appdefaults and add a .k5login with>> joejohnson@EXAMPLE.COM in /home/joe, I can login via ssh fine.. This>> is only with Debian!!, RHEL still fails.>>>> [appdefaults]>> forwardable = true>> pam = {>> minimum_uid = 100>> EXAMPLE.COM = {>> search_k5login = true>> }>> }>>>> But I'd rather use auth_to_local_names or auth_to_local with a>> regex..A .k5login for every user may get tedious but I can deal if I>> have to.>> Now the RedHat krb5.conf man page states that I can use these>> auth_to_local parameters but as I said it still looks for the>> joe@EXAMPLE.COM entry and not the joejohnson@EXAMPLE.COM entry... What>> am I doing wrong. Also it seems that the RHEL pam_krb5 does not>> support "search_k5login", is that accurate?>> Interestingly, I have been looking at this same problem this week!>> Russ's pam_krb5 has both the prompt_principal, and search_k5login> that could be used. The RedHat has only a mappings = regex regex ...> option which is not very flexible. If its only for a few users> it might work. In either case you still need ~.k5login or auth_to_local>> Options include:>> run Russ's pam_krb5, at least for sshd.I compiled Russ's pam_krb5 on Fedora and now I can use the .k5loginfile to auth with joejohnson@EXAMPLE.COM to my local joe account.However the auth_to_local_names maps don't work..Only the .k5loginworks.. If I remove auth_to_local_names altogether it still works withthe .k5login in place. So it seems .k5login is working whileauth_to_local_names is not..You said above I would still need .k5login or auth_to_local. I assumethen that auth_to_local_names won't work period?>> Use double /etc/password entries like:> joe:x:11111:22222:Joe original:/home/joe:/bin/bash> joejohnson:x:11111:22222:Joe original:/home/joe:/bin/bash>I did not have to do this step, duplicating the password entries. Canyou please explain the need for this? I did notice that using .k5loginthe sudo command breaks and does not accept the kerb password. Isthere a way around this? I have the pam_krb5 listed in all 4 PAMstacks but still does not accept ker password for sudo.> Also duplicate any joe entries with joejohnson entries in/etc/groups> and/or netgroups.>> If using ldap you can add a Uid=joejohnson attrribute to the joe account.> and add joejohnson to any groups and/or netgroups.>>>>> What is the suggested method here for mapping principals with unlike>> local account names using both RHEL and Debian pam_krb? I must be>> doing something incorrectly so any help is appreciated.>> Not doing anything wrong, sshd and RedHat pam_krb5 are not very> flexible.That's good to know. Even on a debian box I am unable to useauth_to_local_names.. Is there a specific section I am supposed to putthis auth_to_local_names entry? I am specifying it in the [REALM]section as instructed by the krb5.conf man page.
Thanks againTC>>>>> Thanks>> TC>> ________________________________________________>> Kerberos mailing list Kerberos@mit.edu>> https://mailman.mit.edu/mailman/listinfo/kerberos>>>>>> -->> Douglas E. Engert <DEEngert@anl.gov>> Argonne National Laboratory> 9700 South Cass Avenue> Argonne, Illinois 60439> (630) 252-5444> ________________________________________________> Kerberos mailing list Kerberos@mit.edu> https://mailman.mit.edu/mailman/listinfo/kerberos>
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
