[32518] in Kerberos
Re: pam_krb5 questions
daemon@ATHENA.MIT.EDU (Techie)
Thu Jul 15 17:50:05 2010
MIME-Version: 1.0
In-Reply-To: <87sk3kqw5w.fsf@windlord.stanford.edu>
Date: Thu, 15 Jul 2010 14:49:59 -0700
Message-ID: <AANLkTik89NzLA4w7pVXID7RepUFmoohoF1cNukaU6i_s@mail.gmail.com>
From: Techie <techchavez@gmail.com>
To: Russ Allbery <rra@stanford.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Thu, Jul 15, 2010 at 2:20 PM, Russ Allbery <rra@stanford.edu> wrote:> Techie <techchavez@gmail.com> writes:>>> I compiled Russ's pam_krb5 on Fedora and now I can use the .k5login>> file to auth with joejohnson@EXAMPLE.COM to my local joe account.>> However the auth_to_local_names maps don't work..Only the .k5login>> works.. If I remove auth_to_local_names altogether it still works with>> the .k5login in place.>> auth_to_local_names is only helpful if you already have a Kerberos ticket> and you're just verifying that ticket is sufficient to permit> authentication. It doesn't help with figuring out what Kerberos principal> to authenticate as at the PAM layer, since the Kerberos library doesn't> provide a way to expose that direction of mapping.Ok I see now, thank you for clarifying that. I was going bonkers.>> If you don't want to use search_k5login, you would need to use> prompt_principal (which requires that the ssh client support> ChallengeResponse)..k5login appears to be cleaner, prompt_principal seems to require thatI input a principal name.>> I did not have to do this step, duplicating the password entries. Can>> you please explain the need for this? I did notice that using .k5login>> the sudo command breaks and does not accept the kerb password. Is there>> a way around this? I have the pam_krb5 listed in all 4 PAM stacks but>> still does not accept ker password for sudo.>> I don't know of any reason why it shouldn't work with sudo, but I don't> personally use sudo and don't have any simple way to test. I'd need to> see the debug log output to understand exactly what it's doing.You are right Russ, It was my mistake.You don't use sudo! What do you use?
ThanksTC>> --> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>> ________________________________________________> Kerberos mailing list Kerberos@mit.edu> https://mailman.mit.edu/mailman/listinfo/kerberos>
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
