Hello Everyone. I am building a webmail server that uses Kerberos to
authenticate users to our Active Directory servers. My problem is that the
users that need to access this system are across multiple domains (example:
[hidden email], [hidden email]). Is there a way for Kerberos to handle
this? Any help would be greatly appreciated. Thanks.
This message and any attachments are intended only for the use of the
addressee and may contain information that is privileged and confidential.
If the reader of the message is not the intended recipient, or the
authorized agent of the intended recipient, you are hereby notified that any
dissemination of this communication is strictly prohibited. If you have
received this communication in error, please notify SITEL immediately by
telephone at 402.963.6001 and delete the message and any attachments from
your system. Thank you for your cooperation.
I already got it working but ssh requires local accounts to exist in the machine for it to actually allow any authenticated to have a ssh session. Can this be done, let's say machine A doesn't have any user account.
Now I will ssh to machine A and authenticate using GSSAPI, I will then land on a command prompt inside my home dir(possibly retrieved through some other means). Anyone done this before?
Re: ssh using gssapi athentication without local account existing on the target machine
jay alvarez wrote:
> I already got it working but ssh requires local accounts to exist in the machine for it to actually
> allow any authenticated to have a ssh session. Can this be done, let's say machine A doesn't have
> any user account.
> Now I will ssh to machine A and authenticate using GSSAPI, I will then land on a command prompt inside
> my home dir(possibly retrieved through some other means). Anyone done this before?
Assuming UNIX, you still need to start the processes under some UID, be it obtained locally, or from
NIS or LDAP, or even dynamically aassigned. The host also has to make some authorization decision
about accepting the GSSAPI connection. Current GSSPAI does authentication only, you still
need the authorization to the local machine. krb5_kuserok for example does this.
If you use dynamically aassigned UIDs, you then have to cleanup the local file system of
any left over files for the UID.
But sshd appears to wants the remote user to specify the local account to
use, without allowing some mappings from GSSAPI credentials to local account first.
One way would be via PAM. PAM states that the PAM routines can change the pam_user, and
the calling application should accept this, sshd does not.
So the first thing that would be needed is for sshd to continue on if the
user was not found, and let PAM at least have a shot at returning a new valid user.
This has come up on the OpenSSH mailing list from time to time.