On Thu, Jul 15, 2010 at 2:20 PM, Russ Allbery <r...@stanford.edu> wrote: > Techie <techcha...@gmail.com> writes: > >> I compiled Russ's pam_krb5 on Fedora and now I can use the .k5login >> file to auth with joejohn...@example.com to my local joe account. >> However the auth_to_local_names maps don't work..Only the .k5login >> works.. If I remove auth_to_local_names altogether it still works with >> the .k5login in place. > > auth_to_local_names is only helpful if you already have a Kerberos ticket > and you're just verifying that ticket is sufficient to permit > authentication. It doesn't help with figuring out what Kerberos principal > to authenticate as at the PAM layer, since the Kerberos library doesn't > provide a way to expose that direction of mapping. Ok I see now, thank you for clarifying that. I was going bonkers. > > If you don't want to use search_k5login, you would need to use > prompt_principal (which requires that the ssh client support > ChallengeResponse). .k5login appears to be cleaner, prompt_principal seems to require that I input a principal name. >> I did not have to do this step, duplicating the password entries. Can >> you please explain the need for this? I did notice that using .k5login >> the sudo command breaks and does not accept the kerb password. Is there >> a way around this? I have the pam_krb5 listed in all 4 PAM stacks but >> still does not accept ker password for sudo. > > I don't know of any reason why it shouldn't work with sudo, but I don't > personally use sudo and don't have any simple way to test. I'd need to > see the debug log output to understand exactly what it's doing. You are right Russ, It was my mistake. You don't use sudo! What do you use?
Thanks TC > > -- > Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos