[32516] in Kerberos
Re: pam_krb5 questions
daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu Jul 15 17:28:20 2010
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
In-Reply-To: <AANLkTinHsWjc04Uxqot6gpr1BrOnTa3pAyfttZEfUYgR@mail.gmail.com>
(Techie's message of "Thu, 15 Jul 2010 13:23:53 -0700")
Date: Thu, 15 Jul 2010 14:20:43 -0700
Message-ID: <87sk3kqw5w.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Techie <techchavez@gmail.com> writes:
> I compiled Russ's pam_krb5 on Fedora and now I can use the .k5login
> file to auth with joejohnson@EXAMPLE.COM to my local joe account.
> However the auth_to_local_names maps don't work..Only the .k5login
> works.. If I remove auth_to_local_names altogether it still works with
> the .k5login in place.
auth_to_local_names is only helpful if you already have a Kerberos ticket
and you're just verifying that ticket is sufficient to permit
authentication. It doesn't help with figuring out what Kerberos principal
to authenticate as at the PAM layer, since the Kerberos library doesn't
provide a way to expose that direction of mapping.
If you don't want to use search_k5login, you would need to use
prompt_principal (which requires that the ssh client support
ChallengeResponse).
> I did not have to do this step, duplicating the password entries. Can
> you please explain the need for this? I did notice that using .k5login
> the sudo command breaks and does not accept the kerb password. Is there
> a way around this? I have the pam_krb5 listed in all 4 PAM stacks but
> still does not accept ker password for sudo.
I don't know of any reason why it shouldn't work with sudo, but I don't
personally use sudo and don't have any simple way to test. I'd need to
see the debug log output to understand exactly what it's doing.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
