On Tue, May 31, 2022 at 3:36 PM Carson Gaspar <car...@taltos.org> wrote:
> On 5/31/2022 12:16 PM, Jeffrey Hutzelman wrote: > > That code should not actually used on a properly-configured PAM-based > > system. Typical configuration for such systems should enable UsePAM and > > KbdInteractiveAuthentication and disable PasswordAuthentication and > > ChallengeResponseAuthentication. This causes all password verification to > > go through PAM. Then all you need is a PAM module that can be configured > to > > behave as you desire. I believe Russ Allbery's pam_krb5 has all the knobs > > you need. > > I agree about the sshd config options, but looking at the source code > for Russ's pam_krb5, I don't think it will work as-is without changing > the username provided by the client (see my previous post). > It will. You want something like alt_auth_map=%s/ssh@REALM only_alt_auth=true > > For true Kerberos authentication (i.e. using Kerberos tickets, not a > > password), you can control which principals are allowed to log in as a > user > > by means of the user's .k5login file. > > Please, no - set up a localname mapping instead of trying to manage a > bajilion k5login files. Yeah, a mapping is probably better for this application. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
