Re: cross-realm authentication question

Sun, 22 Apr 2007 05:08:35 -0700 

Try to use in the realms section of the krb5.conf file on hosts with default
realm REALM1:

        REALM1 = {
                auth_to_local = RULE:[1:[EMAIL PROTECTED]([EMAIL 
PROTECTED])s/@.*//
                auth_to_local = DEFAULT
        }


and on hosts with default REALM2:

        REALM2 = {
                auth_to_local = RULE:[1:[EMAIL PROTECTED]([EMAIL 
PROTECTED])s/@.*//
                auth_to_local = DEFAULT
        }


This would avoid having .k5login files everywhere, BUT you have to
understand that now the administrator of REALM2 can control the access to
hosts in REALM1 and userids have to be unique in both realms.

Regards
Markus

"Rohit Kumar Mehta" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]
>
> Hi guys, I have a pretty basic question about how cross-realm
> authentication works with ssh.  Can kerberized logins work when your TGT
> is not from the default realm (as specified by /etc/krb5.conf)
>
> I set up 2 MIT KDCs using Ubuntu server (dapper) each in a different
> realm (say REALM1 and REALM2), and configured them for cross-realm
> authentication. I put my service principal for a test client
> (host/[EMAIL PROTECTED]) in one KDC and an account ([EMAIL PROTECTED])
> in the other.
>
> On my client (also running the same version of Ubuntu with libpam_krb5),
> I configured ssh for gssapi, and installed the keytab with the principal
> "host/[EMAIL PROTECTED]".  I was able to "kinit [EMAIL PROTECTED]" and
> ssh to cselin12.REALM1 and login automatically when my default realm (in
> /etc/krb5.conf) was set to be REALM2.  However, if I set it to be
> REALM1, it did not work and I get prompted for a password.
>
> This is not that big a deal for us, but if we wanted to have different
> users logging in to the same machine, some whose account principals only
> existed in REALM1 and some whose account principals only existed in
> REALM2, would there be a way to do that?
>
> Many thanks for any help,
>
> Rohit
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to