Central principal->user at host management?

David Leonard David.Leonard at quest.com
Mon Oct 1 11:40:45 EST 2007

Jos Backus wrote:
> [Apologies if this is an off-topic question; please direct me to a more
> appropriate place if so.]
> Using Kerberos/GSSAPIAuthentication, is there a way to centrally
> control/manage (perhaps using LDAP?) which user principals can log into what
> hosts/accounts?
I don't know about centrally managing, except by ensuring that user 
principal names align with unix accountnames, but for local account 
control, sshd calls krb5_kuserok(). This function looks for the file 
~user/.k5login and if it exists, only allows access if the authenticated 
user principal is listed therein.


More information about the openssh-unix-dev mailing list