[Apologies if this is an off-topic question; please direct me to a more appropriate place if so.] Using Kerberos/GSSAPIAuthentication, is there a way to centrally control/manage (perhaps using LDAP?) which user principals can log into what hosts/accounts? -- Jos Backus jos at catnook.com
Jos Backus wrote:> [Apologies if this is an off-topic question; please direct me to a more > appropriate place if so.] > > Using Kerberos/GSSAPIAuthentication, is there a way to centrally > control/manage (perhaps using LDAP?) which user principals can log into what > hosts/accounts? > >I don't know about centrally managing, except by ensuring that user principal names align with unix accountnames, but for local account control, sshd calls krb5_kuserok(). This function looks for the file ~user/.k5login and if it exists, only allows access if the authenticated user principal is listed therein. d
Jos Backus wrote:> [Apologies if this is an off-topic question; please direct me to a more > appropriate place if so.] > > Using Kerberos/GSSAPIAuthentication, is there a way to centrally > control/manage (perhaps using LDAP?) which user principals can log into what > hosts/accounts?In addition to the ~.k5login, sounds like what you would like would be a krb5.conf [realm] auth_to_local=LDAP:.... option. But I don't know if one exists. (Would be nice if it did...) There is a auth_to_local=DB:... option that uses a local database.>-- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444