[32517] in Kerberos
Re: pam_krb5 questions
daemon@ATHENA.MIT.EDU (Techie)
Thu Jul 15 17:40:52 2010
MIME-Version: 1.0
In-Reply-To: <4C3F723B.3070605@anl.gov>
Date: Thu, 15 Jul 2010 14:40:47 -0700
Message-ID: <AANLkTik3Fq2-niWGIjSXcyP9XBGnxFDwqrwRovPGvEHp@mail.gmail.com>
From: Techie <techchavez@gmail.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Thu, Jul 15, 2010 at 1:40 PM, Douglas E. Engert <deengert@anl.gov> wrote:>>> On 7/15/2010 3:23 PM, Techie wrote:>>>> On Thu, Jul 15, 2010 at 12:43 PM, Douglas E. Engert<deengert@anl.gov>>> wrote:>>>>>>>>> On 7/15/2010 2:15 PM, Techie wrote:>>>>>>>> Hi,>>>>>>>> This question is actually regarding both the RHEL pam_krb5 and the>>>> Debian or Russ's pam_krb5. What I am trying to do is to have krb5>>>> principals login via ssh and authenticate to a local acount.>>>> so principal joejohnson@EXAMPLE.COM should be authenticated as local>>>> account joe on the local box. I should mention that the host does not>>>> have a keytab but I am simply trying to authenticate via ssh. I can>>>> authenticate perfectly if the principal matches the local account.>>>>>>>> Now I see that the krb5.conf allows for something like this.. But it>>>> does not work..Auth fails and I get an error that joe@EXAMPLE.COM is>>>> not found in the database. It is not mapping joejohnson@EXAMPLE.COM to>>>> joe...It's trying joe@EXAMPLE.COM which won't work. THis is true on>>>> RHEL and Debian.>>>>>>>> [REALMS]>>>> EXAMPLE.COM = {>>>> auth_to_local_names = {>>>> joejohnson = joe>>>> }>>>> }>>>>>>>> However, If I put this in appdefaults and add a .k5login with>>>> joejohnson@EXAMPLE.COM in /home/joe, I can login via ssh fine.. This>>>> is only with Debian!!, RHEL still fails.>>>>>>>> [appdefaults]>>>> forwardable = true>>>> pam = {>>>> minimum_uid = 100>>>> EXAMPLE.COM = {>>>> search_k5login = true>>>> }>>>> }>>>>>>>> But I'd rather use auth_to_local_names or auth_to_local with a>>>> regex..A .k5login for every user may get tedious but I can deal if I>>>> have to.>>>> Now the RedHat krb5.conf man page states that I can use these>>>> auth_to_local parameters but as I said it still looks for the>>>> joe@EXAMPLE.COM entry and not the joejohnson@EXAMPLE.COM entry... What>>>> am I doing wrong. Also it seems that the RHEL pam_krb5 does not>>>> support "search_k5login", is that accurate?>>>>>> Interestingly, I have been looking at this same problem this week!>>>>>> Russ's pam_krb5 has both the prompt_principal, and search_k5login>>> that could be used. The RedHat has only a mappings = regex regex ...>>> option which is not very flexible. If its only for a few users>>> it might work. In either case you still need ~.k5login or auth_to_local>>>>>> Options include:>>>>>> run Russ's pam_krb5, at least for sshd.>>>> I compiled Russ's pam_krb5 on Fedora and now I can use the .k5login>> file to auth with joejohnson@EXAMPLE.COM to my local joe account.>> However the auth_to_local_names maps don't work..Only the .k5login>> works.. If I remove auth_to_local_names altogether it still works with>> the .k5login in place. So it seems .k5login is working while>> auth_to_local_names is not..>> You said above I would still need .k5login or auth_to_local.>> Ask Russ, but I think the prompt_principal might work with> auth_to_local. In any case, .k5login works, so use it.Ok will do, looks like it is the option that works. Thanks!>>>> I assume>>>> then that auth_to_local_names won't work period?>>>>>> Use double /etc/password entries like:>>> joe:x:11111:22222:Joe original:/home/joe:/bin/bash>>> joejohnson:x:11111:22222:Joe original:/home/joe:/bin/bash>>>>> I did not have to do this step, duplicating the password entries. Can>> you please explain the need for this?>> If you wanted to continue to use the Red-Hat pam_krb5, this would> be an other option, as the user could then ssh joejohnson@host and> end up using the joe account. It has its restrictions as joejohnson> can only login to the joe account.>>>> I did notice that using .k5login>> the sudo command breaks and does not accept the kerb password. Is>> there a way around this? I have the pam_krb5 listed in all 4 PAM>> stacks but still does not accept ker password for sudo.>> Interesting. I have not tested this. You may only want to> to use Russ's pam_krb5 on sshd, and leave the rest alone.> Try adding the joe@realm to the .k5login too.I was mistaken, sudo is fine with the pam_krb module. I had compiledsudo from source for testing some time ago and was pointed to thosebinaries.>>>> Also duplicate any joe entries with joejohnson entries in/etc/groups>>> and/or netgroups.>>>>>> If using ldap you can add a Uid=joejohnson attrribute to the joe account.>>> and add joejohnson to any groups and/or netgroups.>>>>>>>>>>> What is the suggested method here for mapping principals with unlike>>>> local account names using both RHEL and Debian pam_krb? I must be>>>> doing something incorrectly so any help is appreciated.>>>>>> Not doing anything wrong, sshd and RedHat pam_krb5 are not very>>> flexible.>>>> That's good to know. Even on a debian box I am unable to use>> auth_to_local_names.. Is there a specific section I am supposed to put>> this auth_to_local_names entry?>> Sounds like it is not needed if you have the .k5login I only used it> a long time ago, for mapping realms. Its tricky to set up too.Agreed, was just hoping to use the auth_to_local similar to sasl regexmapping in OpenLDAP. That way you have one mapping defined and don'tworry about .k5login files.But this will have to do for now.
Appreciate the helpTC>>> I am specifying it in the [REALM]>> section as instructed by the krb5.conf man page.>>>> Thanks again>> TC>>>>>>>>>>> Thanks>>>> TC>>>> ________________________________________________>>>> Kerberos mailing list Kerberos@mit.edu>>>> https://mailman.mit.edu/mailman/listinfo/kerberos>>>>>>>>>>>>>> -->>>>>> Douglas E. Engert<DEEngert@anl.gov>>>> Argonne National Laboratory>>> 9700 South Cass Avenue>>> Argonne, Illinois 60439>>> (630) 252-5444>>> ________________________________________________>>> Kerberos mailing list Kerberos@mit.edu>>> https://mailman.mit.edu/mailman/listinfo/kerberos>>>>>>>>> -->> Douglas E. Engert <DEEngert@anl.gov>> Argonne National Laboratory> 9700 South Cass Avenue> Argonne, Illinois 60439> (630) 252-5444>
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
