Central principal->user at host management?

Douglas E. Engert deengert at anl.gov
Tue Oct 2 23:45:33 EST 2007



Jos Backus wrote:
> On Mon, Oct 01, 2007 at 11:22:57AM -0500, Douglas E. Engert wrote:
>> In addition to the ~.k5login, sounds like what you would like would be a
>> krb5.conf  [realm] auth_to_local=LDAP:.... option. But I don't know
>> if one exists. (Would be nice if it did...)  There is a auth_to_local=DB:...
>> option that uses a local database.
> 
> Using a local db would be tantamount to managing .k5login files so that
> doesn't really help. 

The main differences are the ~/.k5login is under control of the user,
and may be located in a NFS shared home directory. The db is under control
of the admin.

> Regarding LDAP support, one consideration is that sshd
> would have to be able to authenticate the LDAP server (using Kerberos) to
> prevent spoofing. 

I think you said you where using LDAP. This situation is no different from
using nss-ldap, to replace the passwd and group files. The libnss-ldap has
to authenticate the ldap server to avoid spoofing. The k5login could be just
another nisMap with nisObjects table much like autofs can use ldap.

This adds yet more complexity.

The complexity should be in the krb5 libs under the krb5_kuserok routine,
so sshd has no changes. But the code has not been written as far as I know.

> 
> So I am wondering if given the stated requirement, Kerberos is the right
> choice. Should I just be (securely) distributing authorized_keys files?  What
> am I missing?
> 
> Thanks,

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the openssh-unix-dev mailing list