Central principal->user at host management?

Jos Backus jos at catnook.com
Tue Oct 2 02:02:28 EST 2007

On Mon, Oct 01, 2007 at 11:40:45AM +1000, David Leonard wrote:
> Jos Backus wrote:
> > [Apologies if this is an off-topic question; please direct me to a more
> > appropriate place if so.]
> >
> > Using Kerberos/GSSAPIAuthentication, is there a way to centrally
> > control/manage (perhaps using LDAP?) which user principals can log into what
> > hosts/accounts?
> >
> >   
> I don't know about centrally managing, except by ensuring that user 
> principal names align with unix accountnames, but for local account 
> control, sshd calls krb5_kuserok(). This function looks for the file 
> ~user/.k5login and if it exists, only allows access if the authenticated 
> user principal is listed therein.

I'm aware of this. But I have a hard time justifying Kerberos (and the
associated complexity it introduces) if it can't meet this requirement whereas
distributing authorized_keys files using Puppet on all hosts can.

Jos Backus
jos at catnook.com

More information about the openssh-unix-dev mailing list