Central principal->user at host management?

Jos Backus jos at catnook.com
Tue Oct 2 09:42:44 EST 2007


On Mon, Oct 01, 2007 at 11:22:57AM -0500, Douglas E. Engert wrote:
> In addition to the ~.k5login, sounds like what you would like would be a
> krb5.conf  [realm] auth_to_local=LDAP:.... option. But I don't know
> if one exists. (Would be nice if it did...)  There is a auth_to_local=DB:...
> option that uses a local database.

Using a local db would be tantamount to managing .k5login files so that
doesn't really help. Regarding LDAP support, one consideration is that sshd
would have to be able to authenticate the LDAP server (using Kerberos) to
prevent spoofing. This adds yet more complexity.

So I am wondering if given the stated requirement, Kerberos is the right
choice. Should I just be (securely) distributing authorized_keys files?  What
am I missing?

Thanks,
-- 
Jos Backus
jos at catnook.com


More information about the openssh-unix-dev mailing list