[36380] in Kerberos
Re: libapache2-mod-auth-kerb and cross-realm
daemon@ATHENA.MIT.EDU (Simo Sorce)
Thu Aug 14 18:00:05 2014
Message-ID: <1408053589.15168.31.camel@willson.usersys.redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Jaap Winius <jwinius@umrk.nl>
Date: Thu, 14 Aug 2014 17:59:49 -0400
In-Reply-To: <lsj798$4tt$1@ger.gmane.org>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, 2014-08-14 at 20:47 +0000, Jaap Winius wrote:
> On Thu, 14 Aug 2014 09:56:35 -0400, Simo Sorce wrote:
>
> > Keep in mind that this will make foo@MYREALM.COM and foo@EXAMPLE.COM
> > effectively the same user...
>
> Yes, a nuance that did not escape me. In fact, I imagined that it was for
> security reasons that auth_to_local could only be applied to members of
> the default realm. This meant Greg's solution and explanation was all the
> more surprising to me.
>
> > .. for all applications (including Apache and SSH).
>
> Like I said in my last post, I was worried about that too, but for SSH at
> least it appears not to be a problem: I can use it to connect to the same
> host, run klist and see that I still have a MYREALM.COM tgt. OpenAFS
> doesn't care either. However, I haven't yet tested this with all of the
> other services.
What you observe is expected when you use PAM authentication in OpenSSH
(ie you enter username/password at the prompt), however should you use
GSSAPI authentication instead then both foo@MYREALM.COM and
foo@EXAMPLE.COM would be logged in as 'foo'.
> > If you do not want that what you can do is to change the first line to
> > something like:
> > auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/^\(.*\)@MYREALM.COM$/
> myrealm-\1/
>
> An excellent idea! However, your syntax here is a bit buggy. The
> parentheses in the first half of the substitution string should not be
> escaped, while the '\1' in the replacement doesn't work; it gets
> translated literally, just as $1 is. (Why doesn't it work?)
>
> > or:
> > auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$/
> @myrealm.com/
>
> This works in principle, but an entry shows up in the Apache error log if
> the resulting string has more than 14 characters (even if a string to
> match it exists in the 'require user' list):
>
> krb5_aname_to_localname() failed: Insufficient space to return complete
> information
Sounds like a bug in your mod_auth_kerb module, in Fedora/RHEL I see a
patch to deal with that set the max length to 255
> So I've came up with this slight modification of your second method:
>
> RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$/-m/
>
> This gives 'foo@MYREALM.COM => foo-m' and will work for users with login
> names that have up to 12 characters.
as long as it works for you :-)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
