Displaying 20 results from an estimated 33 matches for "k5login".
2012 Jun 04
3
Update .k5login with Puppet
Hi,
can you anyone suggest me how can i update .k5login to append new entry or
remove existing line
when i tried using
k5login { ''/root/.k5login'':
ensure => present,
path => ''/root/.k5login'',
principals => ''dhaval@MYREALM.COM'',
}
it comple...
2012 Dec 28
1
Kerberos/GSSAPI auth via .k5login file
Hi, we are currently moving our mailserver to a new server with Dovecot,
virtual users in LDAP, Passwords in Kerberos Setup. Everything works
fine except for GSSAPI which seems to be a bit buggy.
The thing is, that when using a .k5login [1] file it seems that SASL
does not get passed the home directory specified userdb. In other words,
mails for user1 (see below) are stored in /home/domain.at/user1, while
the home dir defined in LDAP is /afs/domain.at/home/user1 (virtual
users, so only dovecot, not the system does know about t...
2013 May 09
1
Crossrealm Kerberos problems
...1. mech_gssapi_userok(...) calls mech_gssapi_krb5_userok
2. mech_gssapi_krb5_userok(...) calls krb5_kuserok(...) to verify that
the given Kerberos prinicpal can log in as the requested user.
3. The authentication process is running as the Dovecot user so:
3a. krb5_kuserok(...) looks for ~dovecot/.k5login to authorize cross
realm logins
3b. There is no ~dovecot/.k5login, thus no cross realm access is allowed
3c. It should be looking at the users .k5login ~poptest/.k5login
3d. This never happens and the login attempt fails
I have the server set up to use system users specifically so that I ca...
2013 Jan 16
5
[Bug 2063] New: RFE: export principal which was used for .k5login
https://bugzilla.mindrot.org/show_bug.cgi?id=2063
Bug ID: 2063
Summary: RFE: export principal which was used for .k5login
Classification: Unclassified
Product: Portable OpenSSH
Version: 6.1p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Kerberos support
Assignee: unassigned-bugs...
2019 Oct 04
2
authorized_principals for Kerberos authentication
Hello,
SSH supports ~/.ssh/authorzied_keys for SSH keys and
~/.ssh/authorized_principals for X509 certs.
I could not find an equivalent of authorzied_keys
using Kerberos authentication.
IMHO it should be possible using the Kerberos principal
very much like the principal contained inside a X509
certificate.
My main use case is assigning a specific command to
a user logging in using Kerberos
2007 Sep 30
2
Central principal->user@host management?
[Apologies if this is an off-topic question; please direct me to a more
appropriate place if so.]
Using Kerberos/GSSAPIAuthentication, is there a way to centrally
control/manage (perhaps using LDAP?) which user principals can log into what
hosts/accounts?
--
Jos Backus
jos at catnook.com
2014 Feb 20
0
samba4 success/failure report...all's working despite kerberized ssh
...umit
> > >
> >
> > KRB5_TRACE=/dev/stdout /usr/sbin/sshd -ddd -p 2222
> >
> > I am sorry, this does not reveal any new messages...
> >
> > but I think kerberos authentication is active:
>
> OK, I have no more idea...
>
> I also added a .k5login file in the users homedir in the server.
> Content was only one line:
>
> test at WEIRD-WEB-WORKERS.ORG
>
> But this hasen't helped either. If I understand the use of .k5login
> correct it's purpose is for mappings if the username within the
> directory is not the sam...
2001 Jun 28
1
Adding 'name' key types
Playing around with the [wonderful] GSS-API patches for OpenSSH [1] I
noticed that there is a bit of functionality missing from
OpenSSH/GSS-API, namely that authorized_keys2 has no meaning when using
GSS authentication.
Yes, ~/.k5login can be used to grant access to an account for
applications that support Kerberos, as does OpenSSH with those GSS
patches, but .k5login does not and cannot provide the
from/command/environment and other useful options that SSH's
authorized_keys2 file entries can.
So, after looking around, espec...
2006 Aug 28
10
Templates and arrays
I''m in the process of documenting templates right now, and I figured
I should see what happens when you use them with arrays:
$ cat ~/bin/test.pp
$values = [this, is, an, array, of, values]
$content = template("/tmp/templates/testing.erb")
file { "/tmp/temtest": content => $content }
$ cat /tmp/templates/testing.erb
<% values.each do |val| %>
I got
2020 Jul 23
1
krb5_kt_start_seq_get failed (Permission denied)
Try this :
#source: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1484262
Add in /etc/krb5.conf in [libdefaults]
ignore_k5login = true
Did it help?
If (as in my case) root is not allowed in the user homdirs it can validateon $HOME/.k5login
Above fixed it for me.
I only cant tell based on the config if this applies to you.
Its a simple thing to try.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van:...
2002 Jan 24
1
PATCH: krb4/krb5/... names/patterns in auth_keys entries
This patch (to OpenSSH 3.0.2p1) adds support for using krb4, krb5 and
other principal names in authorized_keys entries.
It's a sort of replacement for .klogin and .k5login, but it's much more
general than .k*login as it applies to any authentication mechanism
where a name is associated with the ssh client and it supports name
patterns and all the normal authorized_keys entry options we're used to.
Now you can have entries like these in your authorized_keys f...
2011 Apr 21
6
ssh_authorized_key fails when home directory doesn't exist
Here is my situation:
1. We use Active directory (LDAP) to store all user info which is retrieved from linux
2. A home directory is not created until the first time the user logs into the linux system
I am using the ssh_authorized_key type to push out my ssh keys to every system. However, because I haven''t logged into every system at least once. Puppet errors out due to a missing
2020 Oct 10
0
Mail samba
...fsg)
> Conflicts: libpam-heimdal
> Description: PAM module for MIT Kerberos
> ?A Kerberos PAM module build against the MIT Kerberos libraries. It
> ?supports authenticating against a Kerberos KDC, obtaining tickets and
> ?populating an initial ticket cache, authorizing users via a ~/.k5login
> ?file, and changing Kerberos passwords.
> Homepage: https://www.eyrie.org/~eagle/software/pam-krb5/
> Original-Maintainer: Russ Allbery <rra at debian.org <mailto:rra at debian.org>>
>
> root at dna:/data/wordpress/database/html# ldapsearch -h
> gaia.rompen.lokaal -...
2009 Mar 03
0
GSSAPI cross-realm still broken
...re robust security checking be done instead
of abusing gss_compare_name like this? I don't know how to do
this using GSSAPI, but on the Kerberos side Heimdal provides the
function krb5_kuserok. Dovecot could also just have a configurable
file listing acceptable krb5 principals (preferably in .k5login syntax)
and check that both auth_name and authz_name are in the list.
Bryan Jacobs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: authnmis2.patch
Type: text/x-patch
Size: 1646 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/2...
2002 Jan 25
0
[Bug 78] New: Support use of named (krb4, krb5, gsi, x.509) keys in auth_keys entries
...simplify key management and authorized_keys file
management in environments where Kerberos or GSI are in use with OpenSSH
(see Simon Wilkinson's patch to OpenSSH that implements the gsskeyex
draft). These features represent a much more general authorization system
for Kerberos than .klogin or .k5login, and apply to other authentication
mechanisms as well (again, GSI/X.509, and, in the future, when direct
X.509 support is added to OpenSSH, x.509).
These features, or a variation thereof, in OpenSSH, would be greatly
appreciated.
------- You are receiving this mail because: -------
You are the...
2005 Jul 07
2
openssh and kerb 1.4.1 not so happy together
Folks,
I seem to have a problem when I upgraded our kerberos from 1.3.1 to 1.4.1 (MIT
krb 5), all of a sudden I can't ssh as another user.
i.e.
ssh host
works but
ssh joe at host
doesn't work. Same with scp's.
I've tried recompiling ssh (even though the so-name of kerb libs didn't
change), but it didn't work, and still no go... I'm using openssh 3.9p1 on
Solaris
2005 Nov 27
3
OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found
Greetings,
I'm working on the infrastructure of a medium size client/server
environment using an Active Directory running on Windows Server 2003 for
central authentication of users on linux clients.
Additionally OpenAFS is running using Kerberos authentication through
Active Directory as well.
Now I want to grant users remote access to their AFS data by logging in
into a central OpenSSH
2008 Feb 12
1
UFS snapshot weirdness
...pshot, a given
directory looks like so:
drwxr-xr-x 3 root wheel 512 Jan 29 15:25 .
drwxr-xr-x 18 root wheel 512 Jan 29 13:49 ..
-rw------- 1 root wheel 1281 Jan 31 17:12 .bash_history
-rw-r--r-- 2 root wheel 786 Jan 29 13:00 .cshrc
-rw-r--r-- 1 root wheel 143 Jan 29 13:00 .k5login
-rw-r--r-- 1 root wheel 293 Jan 29 13:00 .login
-rw-r--r-- 2 root wheel 253 Jan 29 13:00 .profile
drwxr-xr-x 2 root wheel 512 Jan 29 13:00 .ssh
However, when looking into the same directory outside the snapshot, it
looks like so:
-rw------- 1 root wheel 2961 Feb 12 00:39...
2009 Mar 03
2
GSSAPI cross-realm fixed
...that
authn_name and authz_name are the same. Instead, make TWO calls to
krb5_kuserok, one for each ID. If both IDs are acceptable, allow the
login.
2. Disable checking that the name is a GSS_KRB5_PRINCIPAL_NAME, as
this doesn't appear to be always the case for the authz_name.
If I create a .k5login listing both username at REALM1 and
username at REALM2, and make that file follow the appropriate security
restrictions (world read, user only write permissions), this lets me
use GSSAPI logins with principals from either REALM1 or REALM2.
This leaves untouched the behavior in the case where krb5_...
2018 Oct 10
1
NFSv4, homes, Kerberos...
...n or the rdns check in krb5.conf but i did not test that.
> >
> > # Tested on Debian Stretch - NFSv4 SERVER
> > apt-get install --auto-remove nfs-kernel-server
> > systemctl stop nfs-*
> >
> > Added in krb5.conf below the default_realm setting.
> > ; ignore k5login not being accessable in the user home dir.
> > ignore_k5login = true
> >
> > ; for Windows 2008 with AES, needed by CIFS also. ( dont
> forget the cifs/spn )
> > default_tgs_enctypes = aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96 rc4-hmac des-c...