Try to use in the realms section of the krb5.conf file on hosts with default realm REALM1:
REALM1 = { auth_to_local = RULE:[1:[EMAIL PROTECTED]([EMAIL PROTECTED])s/@.*// auth_to_local = DEFAULT } and on hosts with default REALM2: REALM2 = { auth_to_local = RULE:[1:[EMAIL PROTECTED]([EMAIL PROTECTED])s/@.*// auth_to_local = DEFAULT } This would avoid having .k5login files everywhere, BUT you have to understand that now the administrator of REALM2 can control the access to hosts in REALM1 and userids have to be unique in both realms. Regards Markus "Rohit Kumar Mehta" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > Hi guys, I have a pretty basic question about how cross-realm > authentication works with ssh. Can kerberized logins work when your TGT > is not from the default realm (as specified by /etc/krb5.conf) > > I set up 2 MIT KDCs using Ubuntu server (dapper) each in a different > realm (say REALM1 and REALM2), and configured them for cross-realm > authentication. I put my service principal for a test client > (host/[EMAIL PROTECTED]) in one KDC and an account ([EMAIL PROTECTED]) > in the other. > > On my client (also running the same version of Ubuntu with libpam_krb5), > I configured ssh for gssapi, and installed the keytab with the principal > "host/[EMAIL PROTECTED]". I was able to "kinit [EMAIL PROTECTED]" and > ssh to cselin12.REALM1 and login automatically when my default realm (in > /etc/krb5.conf) was set to be REALM2. However, if I set it to be > REALM1, it did not work and I get prompted for a password. > > This is not that big a deal for us, but if we wanted to have different > users logging in to the same machine, some whose account principals only > existed in REALM1 and some whose account principals only existed in > REALM2, would there be a way to do that? > > Many thanks for any help, > > Rohit > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos