On 5/31/22 12:05, Dan Mahoney wrote: > On most of our boxes, ssh is the ONLY kerberized app, but there's no > provision in krb5.conf to say what the default principal based on a username > is. None of the PAM modules seem to be able to set it, either. I conjured > up an elaborate way to do this by forcing the .k5logindir to be something the > users couldn't touch, and forcing a create for each user, but this doesn't > help the password case. > > Does anyone know of a simple way to accomplish this? There are some clients, > like mobile ones, where, VPN or no, kinit'ing is not an option.
The OpenSSH sshd code decides the principal name, not libkrb5. Looking at the OpenSSH auth-krb5.c, I don't think there's any configurability; it picks a principal name of authctxt->pw->pw_name (except on AIX), parses that, and calls krb5_get_init_creds_password(). ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
