[32515] in Kerberos
Re: pam_krb5 questions
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Thu Jul 15 16:40:32 2010
Message-ID: <4C3F723B.3070605@anl.gov>
Date: Thu, 15 Jul 2010 15:40:27 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Techie <techchavez@gmail.com>
In-Reply-To: <AANLkTinHsWjc04Uxqot6gpr1BrOnTa3pAyfttZEfUYgR@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 7/15/2010 3:23 PM, Techie wrote:
> On Thu, Jul 15, 2010 at 12:43 PM, Douglas E. Engert<deengert@anl.gov> wrote:
>>
>>
>> On 7/15/2010 2:15 PM, Techie wrote:
>>> Hi,
>>>
>>> This question is actually regarding both the RHEL pam_krb5 and the
>>> Debian or Russ's pam_krb5. What I am trying to do is to have krb5
>>> principals login via ssh and authenticate to a local acount.
>>> so principal joejohnson@EXAMPLE.COM should be authenticated as local
>>> account joe on the local box. I should mention that the host does not
>>> have a keytab but I am simply trying to authenticate via ssh. I can
>>> authenticate perfectly if the principal matches the local account.
>>>
>>> Now I see that the krb5.conf allows for something like this.. But it
>>> does not work..Auth fails and I get an error that joe@EXAMPLE.COM is
>>> not found in the database. It is not mapping joejohnson@EXAMPLE.COM to
>>> joe...It's trying joe@EXAMPLE.COM which won't work. THis is true on
>>> RHEL and Debian.
>>>
>>> [REALMS]
>>> EXAMPLE.COM = {
>>> auth_to_local_names = {
>>> joejohnson = joe
>>> }
>>> }
>>>
>>> However, If I put this in appdefaults and add a .k5login with
>>> joejohnson@EXAMPLE.COM in /home/joe, I can login via ssh fine.. This
>>> is only with Debian!!, RHEL still fails.
>>>
>>> [appdefaults]
>>> forwardable = true
>>> pam = {
>>> minimum_uid = 100
>>> EXAMPLE.COM = {
>>> search_k5login = true
>>> }
>>> }
>>>
>>> But I'd rather use auth_to_local_names or auth_to_local with a
>>> regex..A .k5login for every user may get tedious but I can deal if I
>>> have to.
>>> Now the RedHat krb5.conf man page states that I can use these
>>> auth_to_local parameters but as I said it still looks for the
>>> joe@EXAMPLE.COM entry and not the joejohnson@EXAMPLE.COM entry... What
>>> am I doing wrong. Also it seems that the RHEL pam_krb5 does not
>>> support "search_k5login", is that accurate?
>>
>> Interestingly, I have been looking at this same problem this week!
>>
>> Russ's pam_krb5 has both the prompt_principal, and search_k5login
>> that could be used. The RedHat has only a mappings = regex regex ...
>> option which is not very flexible. If its only for a few users
>> it might work. In either case you still need ~.k5login or auth_to_local
>>
>> Options include:
>>
>> run Russ's pam_krb5, at least for sshd.
> I compiled Russ's pam_krb5 on Fedora and now I can use the .k5login
> file to auth with joejohnson@EXAMPLE.COM to my local joe account.
> However the auth_to_local_names maps don't work..Only the .k5login
> works.. If I remove auth_to_local_names altogether it still works with
> the .k5login in place. So it seems .k5login is working while
> auth_to_local_names is not..
> You said above I would still need .k5login or auth_to_local.
Ask Russ, but I think the prompt_principal might work with
auth_to_local. In any case, .k5login works, so use it.
I assume
> then that auth_to_local_names won't work period?
>>
>> Use double /etc/password entries like:
>> joe:x:11111:22222:Joe original:/home/joe:/bin/bash
>> joejohnson:x:11111:22222:Joe original:/home/joe:/bin/bash
>>
> I did not have to do this step, duplicating the password entries. Can
> you please explain the need for this?
If you wanted to continue to use the Red-Hat pam_krb5, this would
be an other option, as the user could then ssh joejohnson@host and
end up using the joe account. It has its restrictions as joejohnson
can only login to the joe account.
> I did notice that using .k5login
> the sudo command breaks and does not accept the kerb password. Is
> there a way around this? I have the pam_krb5 listed in all 4 PAM
> stacks but still does not accept ker password for sudo.
Interesting. I have not tested this. You may only want to
to use Russ's pam_krb5 on sshd, and leave the rest alone.
Try adding the joe@realm to the .k5login too.
>> Also duplicate any joe entries with joejohnson entries in/etc/groups
>> and/or netgroups.
>>
>> If using ldap you can add a Uid=joejohnson attrribute to the joe account.
>> and add joejohnson to any groups and/or netgroups.
>>
>>>
>>> What is the suggested method here for mapping principals with unlike
>>> local account names using both RHEL and Debian pam_krb? I must be
>>> doing something incorrectly so any help is appreciated.
>>
>> Not doing anything wrong, sshd and RedHat pam_krb5 are not very
>> flexible.
> That's good to know. Even on a debian box I am unable to use
> auth_to_local_names.. Is there a specific section I am supposed to put
> this auth_to_local_names entry?
Sounds like it is not needed if you have the .k5login I only used it
a long time ago, for mapping realms. Its tricky to set up too.
>I am specifying it in the [REALM]
> section as instructed by the krb5.conf man page.
>
> Thanks again
> TC
>>
>>>
>>> Thanks
>>> TC
>>> ________________________________________________
>>> Kerberos mailing list Kerberos@mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>
>> --
>>
>> Douglas E. Engert<DEEngert@anl.gov>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois 60439
>> (630) 252-5444
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
