cross-realm authentication question - Kerberos

This is a discussion on cross-realm authentication question - Kerberos ; Hi guys, I have a pretty basic question about how cross-realm authentication works with ssh. Can kerberized logins work when your TGT is not from the default realm (as specified by /etc/krb5.conf) I set up 2 MIT KDCs using Ubuntu ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: cross-realm authentication question

  1. cross-realm authentication question


    Hi guys, I have a pretty basic question about how cross-realm
    authentication works with ssh. Can kerberized logins work when your TGT
    is not from the default realm (as specified by /etc/krb5.conf)

    I set up 2 MIT KDCs using Ubuntu server (dapper) each in a different
    realm (say REALM1 and REALM2), and configured them for cross-realm
    authentication. I put my service principal for a test client
    (host/cselin12.REALM1@REALM1) in one KDC and an account (rohitm@REALM2)
    in the other.

    On my client (also running the same version of Ubuntu with libpam_krb5),
    I configured ssh for gssapi, and installed the keytab with the principal
    "host/cselin12.REALM1@REALM". I was able to "kinit rohitm@REALM2" and
    ssh to cselin12.REALM1 and login automatically when my default realm (in
    /etc/krb5.conf) was set to be REALM2. However, if I set it to be
    REALM1, it did not work and I get prompted for a password.

    This is not that big a deal for us, but if we wanted to have different
    users logging in to the same machine, some whose account principals only
    existed in REALM1 and some whose account principals only existed in
    REALM2, would there be a way to do that?

    Many thanks for any help,

    Rohit


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: cross-realm authentication question



    Rohit Kumar Mehta wrote:
    > Hi guys, I have a pretty basic question about how cross-realm
    > authentication works with ssh. Can kerberized logins work when your TGT
    > is not from the default realm (as specified by /etc/krb5.conf)
    >
    > I set up 2 MIT KDCs using Ubuntu server (dapper) each in a different
    > realm (say REALM1 and REALM2), and configured them for cross-realm
    > authentication. I put my service principal for a test client
    > (host/cselin12.REALM1@REALM1) in one KDC and an account (rohitm@REALM2)
    > in the other.
    >
    > On my client (also running the same version of Ubuntu with libpam_krb5),
    > I configured ssh for gssapi, and installed the keytab with the principal
    > "host/cselin12.REALM1@REALM". I was able to "kinit rohitm@REALM2" and
    > ssh to cselin12.REALM1 and login automatically when my default realm (in
    > /etc/krb5.conf) was set to be REALM2. However, if I set it to be
    > REALM1, it did not work and I get prompted for a password.
    >
    > This is not that big a deal for us, but if we wanted to have different
    > users logging in to the same machine, some whose account principals only
    > existed in REALM1 and some whose account principals only existed in
    > REALM2, would there be a way to do that?


    Yes. Read up on the .k5login file and the krb5.conf auth_to_local.



    > Many thanks for any help,
    >
    > Rohit
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: cross-realm authentication question

    Rohit Kumar Mehta writes:

    > On my client (also running the same version of Ubuntu with libpam_krb5),
    > I configured ssh for gssapi, and installed the keytab with the principal
    > "host/cselin12.REALM1@REALM". I was able to "kinit rohitm@REALM2" and
    > ssh to cselin12.REALM1 and login automatically when my default realm (in
    > /etc/krb5.conf) was set to be REALM2. However, if I set it to be
    > REALM1, it did not work and I get prompted for a password.


    Did you create a ~/.k5login file in the home directory of the user to
    which you're trying to log in that lists the principal in the other realm?
    If ~/.k5login exists, Kerberos will use that for authorization; if it
    doesn't, it falls back on krb5_aname_to_localname, which will fail for
    cross-realm principals.

    --
    Russ Allbery (rra@stanford.edu)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: cross-realm authentication question

    Try to use in the realms section of the krb5.conf file on hosts with default
    realm REALM1:

    REALM1 = {
    auth_to_local = RULE:[1:$1@$0](.*@REALM2$)s/@.*//
    auth_to_local = DEFAULT
    }


    and on hosts with default REALM2:

    REALM2 = {
    auth_to_local = RULE:[1:$1@$0](.*@REALM1$)s/@.*//
    auth_to_local = DEFAULT
    }


    This would avoid having .k5login files everywhere, BUT you have to
    understand that now the administrator of REALM2 can control the access to
    hosts in REALM1 and userids have to be unique in both realms.

    Regards
    Markus

    "Rohit Kumar Mehta" wrote in message
    news:46292B5B.5060005@engr.uconn.edu...
    >
    > Hi guys, I have a pretty basic question about how cross-realm
    > authentication works with ssh. Can kerberized logins work when your TGT
    > is not from the default realm (as specified by /etc/krb5.conf)
    >
    > I set up 2 MIT KDCs using Ubuntu server (dapper) each in a different
    > realm (say REALM1 and REALM2), and configured them for cross-realm
    > authentication. I put my service principal for a test client
    > (host/cselin12.REALM1@REALM1) in one KDC and an account (rohitm@REALM2)
    > in the other.
    >
    > On my client (also running the same version of Ubuntu with libpam_krb5),
    > I configured ssh for gssapi, and installed the keytab with the principal
    > "host/cselin12.REALM1@REALM". I was able to "kinit rohitm@REALM2" and
    > ssh to cselin12.REALM1 and login automatically when my default realm (in
    > /etc/krb5.conf) was set to be REALM2. However, if I set it to be
    > REALM1, it did not work and I get prompted for a password.
    >
    > This is not that big a deal for us, but if we wanted to have different
    > users logging in to the same machine, some whose account principals only
    > existed in REALM1 and some whose account principals only existed in
    > REALM2, would there be a way to do that?
    >
    > Many thanks for any help,
    >
    > Rohit
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread