Displaying 2 results from an estimated 2 matches for "krb5_aname_to_localname".
2019 Oct 04
2
authorized_principals for Kerberos authentication
Hello,
SSH supports ~/.ssh/authorzied_keys for SSH keys and
~/.ssh/authorized_principals for X509 certs.
I could not find an equivalent of authorzied_keys
using Kerberos authentication.
IMHO it should be possible using the Kerberos principal
very much like the principal contained inside a X509
certificate.
My main use case is assigning a specific command to
a user logging in using Kerberos
2018 Feb 05
0
mod_auth_kerb realm not stripped
...adding AuthLDAPUrl and "require ldap-group"
directives to httpd.conf results in access being denied. Using ldapsearch
with GSSAPI (or password entry) works as expected.
After looking at debug logs and tcpdump output, I (possibly incorrectly) put
the issue down to being unsure how to get krb5_aname_to_localname to function
appropriately with the KrbLocalUserMapping directive of apache's
mod_auth_kerb.
It does do some transformation, converting to lowercase. However the realm
part is not stripped off. Example output from apache error_log:
[Thu Jan 25 11:53:33.969841 2018] [auth_kerb:debug] [pid 2...