On Wed, Oct 03, 2007 at 07:51:30PM +0100, Markus Moeller wrote:
> Could this be part of an name service extension, so that it can be either
> local file, nis or ldap or .. ?


Well, what I'm after is a centralized OpenSSH authorization solution which
currently doesn't seem to exist. To quote from my earlier email:

In the solution I am envisioning, this daemon would take the hostname,
principal and username and return whether the mapping is valid or not, i.e.
whether that principal can log into that user@hostname. This then would
somehow end up back in the app through krb5_kuserok().

(Btw, it sounds like this could also be implemented using a centralized
authorization server.)

Having a secure facility like this available could probably benefit other apps
besides OpenSSH.

Jos

> Markus
>
> "Douglas E. Engert" wrote in message
> news:4702BBC5.3050703@anl.gov...
> > Does anyone have any mods to use LDAP to store the auth_to_local
> > database? Something like:
> >
> > auth_to_local=LDAP:....
> >
> > Thus it could be used by sshd for example.
> >
> > --
> >
> > Douglas E. Engert
> > Argonne National Laboratory
> > 9700 South Cass Avenue
> > Argonne, Illinois 60439
> > (630) 252-5444
> > ________________________________________________
> > Kerberos mailing list Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >

>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


--
Jos Backus
jos at catnook.com