search for: krb5_aname_to_localnam

Hello, SSH supports ~/.ssh/authorzied_keys for SSH keys and ~/.ssh/authorized_principals for X509 certs. I could not find an equivalent of authorzied_keys using Kerberos authentication. IMHO it should be possible using the Kerberos principal very much like the principal contained inside a X509 certificate. My main use case is assigning a specific command to a user logging in using Kerberos

...adding AuthLDAPUrl and "require ldap-group" directives to httpd.conf results in access being denied. Using ldapsearch with GSSAPI (or password entry) works as expected. After looking at debug logs and tcpdump output, I (possibly incorrectly) put the issue down to being unsure how to get krb5_aname_to_localname to function appropriately with the KrbLocalUserMapping directive of apache's mod_auth_kerb. It does do some transformation, converting to lowercase. However the realm part is not stripped off. Example output from apache error_log: [Thu Jan 25 11:53:33.969841 2018] [auth_kerb:debug] [pid...