[17313] in Athena Bugs
Re: sun4 8.3.15: ssh
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Oct 26 15:21:29 1999
Date: Tue, 26 Oct 1999 15:21:19 -0400 (EDT)
Message-Id: <199910261921.PAA25589@small-gods.mit.edu>
From: Greg Hudson <ghudson@MIT.EDU>
To: Greg Hudson <ghudson@mit.edu>
CC: Nickolai Zeldovich <kolya@mit.edu>, bugs@mit.edu
In-reply-to: "[17306] in Athena Bugs"
I wrote:
> By default, when using krb5 authentication, ssh passes the whole
> krb5 principal over the wire and then the receiving sshd calls
> krb5_aname_to_localname() on that. That routine is fairly flexible,
> and we may be able to just configure in krb5.conf that
> foo.*@ATHENA.MIT.EDU should map to foo. I'll look into that.
Unfortunately, doing that would have access control ramifications;
krb5_kuserok() will grant you access to a local account if no .k5login
or .klogin file is present and your aname maps to the account's
localname. So that change would probably be unwise; I don't want to
suddenly start granting foo/*@ATHENA.MIT.EDU access to account foo
when previously only foo@ATHENA.MIT.EDU had access.
So I don't think we're going to change the behavior you dislike. It
would be nice if ssh could pass both the Kerberos name and the local
name to sshd and use the local name if the Kerberos name has no
mapping, but I don't think the protocol allows that.
