principal/username mapping for Kerberized ssh - SSH

This is a discussion on principal/username mapping for Kerberized ssh - SSH ; I've been searching in vain for any documentation about how Kerberized ssh authorizes an authenticated Kerberos principal to connect as a certain user. The default behavior seems to be that the principal name (not including the realm) must match the ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: principal/username mapping for Kerberized ssh

  1. principal/username mapping for Kerberized ssh

    I've been searching in vain for any documentation about how Kerberized
    ssh authorizes an authenticated Kerberos principal to connect as a
    certain user. The default behavior seems to be that the principal
    name (not including the realm) must match the Unix username. For
    example, user123@AN.ACCEPTABLE.REALM can log in as user123.

    Can I configure this behavior? Specifically, I want to configure ssh
    so that a specified list of Kerberos principals is authorized to
    connect as a certain user. Even better would be to allow any Kerberos
    principal matching a specified pattern to connect as that user.

    Is this possible?

    Thanks,
    David

  2. Re: principal/username mapping for Kerberized ssh

    >>>>> "grackle" == grackle writes:

    grackle> I've been searching in vain for any documentation about how
    grackle> Kerberized ssh authorizes an authenticated Kerberos principal
    grackle> to connect as a certain user. The default behavior seems to
    grackle> be that the principal name (not including the realm) must
    grackle> match the Unix username. For example,
    grackle> user123@AN.ACCEPTABLE.REALM can log in as user123.

    grackle> Can I configure this behavior? Specifically, I want to
    grackle> configure ssh so that a specified list of Kerberos principals
    grackle> is authorized to connect as a certain user.

    List the principals in ~/.k5login.

    grackle> Even better would be to allow any Kerberos principal matching a specified
    grackle> pattern to connect as that user.

    See documentation on auth_to_local rules in krb5.conf.

    grackle> Is this possible?

    grackle> Thanks, David

    --
    Richard Silverman
    res@qoxp.net


  3. Re: principal/username mapping for Kerberized ssh

    On Feb 21, 10:41 pm, "Richard E. Silverman" wrote:
    >
    > List the principals in ~/.k5login.
    >
    > grackle> Even better would be to allow any Kerberos principal matching a specified
    > grackle> pattern to connect as that user.
    >
    > See documentation on auth_to_local rules in krb5.conf.
    >


    Thanks for the reply. So Kerberos itself does the mapping from
    principals to usernames -- not what I expected at all! I assumed
    Kerberos only concerned itself with principals and realms (i.e.,
    authentication).

    auth_to_local is only briefly mentioned my local man file, but I found
    good documentation here:

    http://docs.sun.com/app/docs/doc/819...-4?l=en&a=view

    auth_to_local really defines a mapping, since only the first matching
    rule applies, so if I wanted a principal to be authorized for more
    than one user account, I would have to use .k5login. It looks like
    auth_to_local solves my problem nicely, though.

    Again, thanks for the reply.
    -David

+ Reply to Thread