search for: k5login

Hi, can you anyone suggest me how can i update .k5login to append new entry or remove existing line when i tried using k5login { ''/root/.k5login'': ensure => present, path => ''/root/.k5login'', principals => ''dhaval@MYREALM.COM'', } it comple...

Hi, we are currently moving our mailserver to a new server with Dovecot, virtual users in LDAP, Passwords in Kerberos Setup. Everything works fine except for GSSAPI which seems to be a bit buggy. The thing is, that when using a .k5login [1] file it seems that SASL does not get passed the home directory specified userdb. In other words, mails for user1 (see below) are stored in /home/domain.at/user1, while the home dir defined in LDAP is /afs/domain.at/home/user1 (virtual users, so only dovecot, not the system does know about t...

...1. mech_gssapi_userok(...) calls mech_gssapi_krb5_userok 2. mech_gssapi_krb5_userok(...) calls krb5_kuserok(...) to verify that the given Kerberos prinicpal can log in as the requested user. 3. The authentication process is running as the Dovecot user so: 3a. krb5_kuserok(...) looks for ~dovecot/.k5login to authorize cross realm logins 3b. There is no ~dovecot/.k5login, thus no cross realm access is allowed 3c. It should be looking at the users .k5login ~poptest/.k5login 3d. This never happens and the login attempt fails I have the server set up to use system users specifically so that I ca...

https://bugzilla.mindrot.org/show_bug.cgi?id=2063 Bug ID: 2063 Summary: RFE: export principal which was used for .k5login Classification: Unclassified Product: Portable OpenSSH Version: 6.1p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Kerberos support Assignee: unassigned-bugs...

Hello, SSH supports ~/.ssh/authorzied_keys for SSH keys and ~/.ssh/authorized_principals for X509 certs. I could not find an equivalent of authorzied_keys using Kerberos authentication. IMHO it should be possible using the Kerberos principal very much like the principal contained inside a X509 certificate. My main use case is assigning a specific command to a user logging in using Kerberos

[Apologies if this is an off-topic question; please direct me to a more appropriate place if so.] Using Kerberos/GSSAPIAuthentication, is there a way to centrally control/manage (perhaps using LDAP?) which user principals can log into what hosts/accounts? -- Jos Backus jos at catnook.com

...umit > > > > > > > KRB5_TRACE=/dev/stdout /usr/sbin/sshd -ddd -p 2222 > > > > I am sorry, this does not reveal any new messages... > > > > but I think kerberos authentication is active: > > OK, I have no more idea... > > I also added a .k5login file in the users homedir in the server. > Content was only one line: > > test at WEIRD-WEB-WORKERS.ORG > > But this hasen't helped either. If I understand the use of .k5login > correct it's purpose is for mappings if the username within the > directory is not the sam...

Playing around with the [wonderful] GSS-API patches for OpenSSH [1] I noticed that there is a bit of functionality missing from OpenSSH/GSS-API, namely that authorized_keys2 has no meaning when using GSS authentication. Yes, ~/.k5login can be used to grant access to an account for applications that support Kerberos, as does OpenSSH with those GSS patches, but .k5login does not and cannot provide the from/command/environment and other useful options that SSH's authorized_keys2 file entries can. So, after looking around, espec...

I''m in the process of documenting templates right now, and I figured I should see what happens when you use them with arrays: $ cat ~/bin/test.pp $values = [this, is, an, array, of, values] $content = template("/tmp/templates/testing.erb") file { "/tmp/temtest": content => $content } $ cat /tmp/templates/testing.erb <% values.each do |val| %> I got

Try this : #source: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1484262 Add in /etc/krb5.conf in [libdefaults] ignore_k5login = true Did it help? If (as in my case) root is not allowed in the user homdirs it can validateon $HOME/.k5login Above fixed it for me. I only cant tell based on the config if this applies to you. Its a simple thing to try. Greetz, Louis > -----Oorspronkelijk bericht----- > Van:...

This patch (to OpenSSH 3.0.2p1) adds support for using krb4, krb5 and other principal names in authorized_keys entries. It's a sort of replacement for .klogin and .k5login, but it's much more general than .k*login as it applies to any authentication mechanism where a name is associated with the ssh client and it supports name patterns and all the normal authorized_keys entry options we're used to. Now you can have entries like these in your authorized_keys f...

Here is my situation: 1. We use Active directory (LDAP) to store all user info which is retrieved from linux 2. A home directory is not created until the first time the user logs into the linux system I am using the ssh_authorized_key type to push out my ssh keys to every system. However, because I haven''t logged into every system at least once. Puppet errors out due to a missing

...fsg) > Conflicts: libpam-heimdal > Description: PAM module for MIT Kerberos > ?A Kerberos PAM module build against the MIT Kerberos libraries. It > ?supports authenticating against a Kerberos KDC, obtaining tickets and > ?populating an initial ticket cache, authorizing users via a ~/.k5login > ?file, and changing Kerberos passwords. > Homepage: https://www.eyrie.org/~eagle/software/pam-krb5/ > Original-Maintainer: Russ Allbery <rra at debian.org <mailto:rra at debian.org>> > > root at dna:/data/wordpress/database/html# ldapsearch -h > gaia.rompen.lokaal -...

...re robust security checking be done instead of abusing gss_compare_name like this? I don't know how to do this using GSSAPI, but on the Kerberos side Heimdal provides the function krb5_kuserok. Dovecot could also just have a configurable file listing acceptable krb5 principals (preferably in .k5login syntax) and check that both auth_name and authz_name are in the list. Bryan Jacobs -------------- next part -------------- A non-text attachment was scrubbed... Name: authnmis2.patch Type: text/x-patch Size: 1646 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/2...

...simplify key management and authorized_keys file management in environments where Kerberos or GSI are in use with OpenSSH (see Simon Wilkinson's patch to OpenSSH that implements the gsskeyex draft). These features represent a much more general authorization system for Kerberos than .klogin or .k5login, and apply to other authentication mechanisms as well (again, GSI/X.509, and, in the future, when direct X.509 support is added to OpenSSH, x.509). These features, or a variation thereof, in OpenSSH, would be greatly appreciated. ------- You are receiving this mail because: ------- You are the...

Folks, I seem to have a problem when I upgraded our kerberos from 1.3.1 to 1.4.1 (MIT krb 5), all of a sudden I can't ssh as another user. i.e. ssh host works but ssh joe at host doesn't work. Same with scp's. I've tried recompiling ssh (even though the so-name of kerb libs didn't change), but it didn't work, and still no go... I'm using openssh 3.9p1 on Solaris

Greetings, I'm working on the infrastructure of a medium size client/server environment using an Active Directory running on Windows Server 2003 for central authentication of users on linux clients. Additionally OpenAFS is running using Kerberos authentication through Active Directory as well. Now I want to grant users remote access to their AFS data by logging in into a central OpenSSH

...pshot, a given directory looks like so: drwxr-xr-x 3 root wheel 512 Jan 29 15:25 . drwxr-xr-x 18 root wheel 512 Jan 29 13:49 .. -rw------- 1 root wheel 1281 Jan 31 17:12 .bash_history -rw-r--r-- 2 root wheel 786 Jan 29 13:00 .cshrc -rw-r--r-- 1 root wheel 143 Jan 29 13:00 .k5login -rw-r--r-- 1 root wheel 293 Jan 29 13:00 .login -rw-r--r-- 2 root wheel 253 Jan 29 13:00 .profile drwxr-xr-x 2 root wheel 512 Jan 29 13:00 .ssh However, when looking into the same directory outside the snapshot, it looks like so: -rw------- 1 root wheel 2961 Feb 12 00:39...

...that authn_name and authz_name are the same. Instead, make TWO calls to krb5_kuserok, one for each ID. If both IDs are acceptable, allow the login. 2. Disable checking that the name is a GSS_KRB5_PRINCIPAL_NAME, as this doesn't appear to be always the case for the authz_name. If I create a .k5login listing both username at REALM1 and username at REALM2, and make that file follow the appropriate security restrictions (world read, user only write permissions), this lets me use GSSAPI logins with principals from either REALM1 or REALM2. This leaves untouched the behavior in the case where krb5_...

...n or the rdns check in krb5.conf but i did not test that. > > > > # Tested on Debian Stretch - NFSv4 SERVER > > apt-get install --auto-remove nfs-kernel-server > > systemctl stop nfs-* > > > > Added in krb5.conf below the default_realm setting. > > ; ignore k5login not being accessable in the user home dir. > > ignore_k5login = true > > > > ; for Windows 2008 with AES, needed by CIFS also. ( dont > forget the cifs/spn ) > > default_tgs_enctypes = aes128-cts-hmac-sha1-96 > aes256-cts-hmac-sha1-96 rc4-hmac des-c...