Central principal->user at host management?
Jos Backus
jos at catnook.com
Tue Oct 2 02:02:28 EST 2007
On Mon, Oct 01, 2007 at 11:40:45AM +1000, David Leonard wrote:
> Jos Backus wrote:
> > [Apologies if this is an off-topic question; please direct me to a more
> > appropriate place if so.]
> >
> > Using Kerberos/GSSAPIAuthentication, is there a way to centrally
> > control/manage (perhaps using LDAP?) which user principals can log into what
> > hosts/accounts?
> >
> >
> I don't know about centrally managing, except by ensuring that user
> principal names align with unix accountnames, but for local account
> control, sshd calls krb5_kuserok(). This function looks for the file
> ~user/.k5login and if it exists, only allows access if the authenticated
> user principal is listed therein.
I'm aware of this. But I have a hard time justifying Kerberos (and the
associated complexity it introduces) if it can't meet this requirement whereas
distributing authorized_keys files using Puppet on all hosts can.
--
Jos Backus
jos at catnook.com
More information about the openssh-unix-dev
mailing list