Central principal->user at host management?
David Leonard
David.Leonard at quest.com
Mon Oct 1 11:40:45 EST 2007
Jos Backus wrote:
> [Apologies if this is an off-topic question; please direct me to a more
> appropriate place if so.]
>
> Using Kerberos/GSSAPIAuthentication, is there a way to centrally
> control/manage (perhaps using LDAP?) which user principals can log into what
> hosts/accounts?
>
>
I don't know about centrally managing, except by ensuring that user
principal names align with unix accountnames, but for local account
control, sshd calls krb5_kuserok(). This function looks for the file
~user/.k5login and if it exists, only allows access if the authenticated
user principal is listed therein.
d
More information about the openssh-unix-dev
mailing list