authorized_principals for Kerberos authentication
Carson Gaspar
carson at taltos.org
Sun Oct 6 08:48:10 AEDT 2019
On 10/5/2019 3:26 AM, Damien Miller wrote:
> On Fri, 4 Oct 2019, Friedrich Schaeuffelhut wrote:
>
>> SSH supports ~/.ssh/authorzied_keys for SSH keys and
>> ~/.ssh/authorized_principals for X509 certs.
>>
>> I could not find an equivalent of authorzied_keys
>> using Kerberos authentication.
>
> I think you want ~/.k5login, but it's been years since I've used
> kerberos.
Looking at the current portable code, it appears to just call
krb5_kuserok(). That may look at k5login (the location of which is
configurable), krb5_aname_to_localname(), a custom method, or multiple
of the above, depending on which kerberos library is in use and how it
is configured. (Note that Red Hat has muddied the waters with their
patches, but let's ignore that).
To support the OP's ask of ForceCommand, etc., OpenSSH would need to
either support exposing the client principal as a type which can be used
in a Match block, or add Yet Another authorized_foo file (or extend the
format of an existing one).
I think exposing the authorized_foo functionality via Match operators
would be a more elegant solution, but I don't know how difficult that
would be to code, as I haven't looked at when (and in which process)
they are evaluated.
--
Carson
More information about the openssh-unix-dev
mailing list