On 5/31/2022 9:05 AM, Dan Mahoney wrote:
All,
In the dayjob, many apps default to the kerberos principal, and we'd like to
make ssh (whether used with kinit and gssapi auth, or with a typed-password,
via KerberosAuthentication, or PAM) use a different principal, say
user/ssh@REALM, such that if you mistype your wiki password or your webmail
password, you don't magically gain SSH access to All The Things?
On most of our boxes, ssh is the ONLY kerberized app, but there's no provision
in krb5.conf to say what the default principal based on a username is. None of
the PAM modules seem to be able to set it, either. I conjured up an elaborate
way to do this by forcing the .k5logindir to be something the users couldn't
touch, and forcing a create for each user, but this doesn't help the password
case.
Does anyone know of a simple way to accomplish this? There are some clients,
like mobile ones, where, VPN or no, kinit'ing is not an option.
Looking at pam_krb5, if you log in as user/ssh@REALM, it will use that
principal and change the PAM user to the results of the krb5 localname
mapping. You'd have to configure the localname mapping in krb5.conf (or
an alternate config fragment just for sshd and set KRB5_CONFIG), and
configure ssh to only allow users of the form */ssh@REALM to prevent
users from logging in as just themselves. I haven't tested this, and I
don't know if sshd will get grumpy if the PAM stack changes the user name.
The alternative would be to patch pam_krb5 to support a user_instance
config option as well as user_realm. It would be a fairly small change,
and I suspect Russ might approve it to go upstream.
I don't know how hard it would be to support changing the user name
inside a match block in sshd_config (or if the maintainers would
consider accepting such a PR), but that would be the other option I'd
investigate.
--
Carson
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
