Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"Nuclear war would really set back cable." -- Ted Turner

devel / comp.protocols.kerberos / Re: Using an alternate principal for ssh

SubjectAuthor
o Re: Using an alternate principal for sshRuss Allbery

1
Re: Using an alternate principal for ssh

<mailman.81.1654027517.8148.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=280&group=comp.protocols.kerberos#280

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: eag...@eyrie.org (Russ Allbery)
Newsgroups: comp.protocols.kerberos
Subject: Re: Using an alternate principal for ssh
Date: Tue, 31 May 2022 13:04:46 -0700
Organization: The Eyrie
Lines: 27
Message-ID: <mailman.81.1654027517.8148.kerberos@mit.edu>
References: <622B5998-57E0-450C-88C4-96FA04220AB8@prime.gushi.org>
<410be09d-0680-96f9-ef59-599c0a9996e3@mit.edu>
<CALF+FNx1A+rwTEntG7bza1eLZcizk5WpfLQ0QsP8BZH-6zr1pA@mail.gmail.com>
<e2ac1b0e-c77a-2771-bf9c-a5c3195a3f5e@taltos.org>
<1559B81F-2C3B-4445-AF14-D28B9F328A78@prime.gushi.org>
<8735gph3j5.fsf@hope.eyrie.org>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="29192"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cc: Carson Gaspar <carson@taltos.org>, <kerberos@mit.edu>
To: Dan Mahoney <danm@prime.gushi.org>
Authentication-Results: mit.edu;
dmarc=none (p=none dis=none) header.from=eyrie.org
Authentication-Results: mit.edu; arc=pass
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1654027516; cv=pass;
b=u7HzxxDMUGDHS0Etwni9f5zZc2QjhfDWZt5aPo692NbZU3rCc73jfKCcOT1q3/rQgG7Wpb3ASlEaixg7PPRIRY9JPEngm0Z25x8P9vovfWRPgr71DVYMLTAi3pEKaVCbnIaPjteagfMjAEvT4tzEbqUKAHN3dpff+DWDdc+GKoU0+TwVyJineC37FoIGT1rYhDrEIBZSpgdAZw3KnvQ1E+LKAVC0TyhAWaK/UhTu0ad86DTTj2XPVFqGecVOSQGGBHW40WtoCGamJRjrdSNzJDRMtxQt5gIv1GFM/O6L14bKPYun0dAlHkdpboMNt/95MKKaqUMjI8hGDdA99Qr6Ow==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1654027516;
c=relaxed/relaxed; bh=PowvhdM9Zq50OmWlwneS1e2RfytgYc9Rl+XlKP2smIM=;
h=From:Subject:Date:Message-ID:MIME-Version:Content-Type;
b=U5SQ7jBNJDv6Pa80izZYiGvzI4SRNwo4JXWfMmsy2pQZpp3zCusJtkriXDKqYZnL4/4KgjKfLV+fZdP0iEBsjYyfOHAgYe0JHHjUlhps8TIRQ03wQA3ee0gxOMqSQU47ASrFJ9ZL48UccoSjYfapUI7F1xMyQhTUhDXAg2GP4LpnAx0qjZ/uRvLqIwSvLkUHUSHvyMFIHjJrSnpcg/tUmEjAXhX35sbSUvokAPFpPqrzJ1NDr4pcb6ZIoXQE0uOhBSPVaoiD2Qr4fpcM/teE3kitARfwHK8x4q3luCZA7w7TByGSweJTLK1kRyodznQ0fpRG3nzQ/5b5/k3SNmEJvQ==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=MMrpBNxR; arc=pass
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=MMrpBNxR
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=XUOyFsiohukoHojympwkErWkIYFTva8x9KOAtn95pFeLRMdPuUf+84yn3DcIk5DUwz6CMvAuuh4H834Db+8XRd5ly9paD8NLKPNnxrNCqsEU+eFmLMTmhgK7V1orSLeB2sjCM7bOYOBH9DZS5aeXoS2IUHYE3rSNpi4QxRD/an0IhspaXQCjfw/3daeNPyLRZMzIQ8khEmFmQO61hE+2bOZws5gTNaclj0ADVyvvPt3Zd5GgscNyCLQ/9fXlq9ptt+LK1b+fyEI6oAO5+LBar0vU6mRwZS04nYCMy2EV2Yhuq0sx6D9JAh1+E916SbTQiLn3E8Kn+qgMsvUx5ItKIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=PowvhdM9Zq50OmWlwneS1e2RfytgYc9Rl+XlKP2smIM=;
b=eKae1h+2pNaQLKHnDGEOypT6mii2xLVA05TfcEi3RpXNc7hqLx6bmh9snNrTRWaZB2fIOGDNJrHr28FU9FQpY0YHDIIq3xrp+naLA+RwZItG/wX/7cQd9IACgnq/mEf2vKW3LXcQimdEltYeBuz2rqzjJ6ACygs+usBH0IJwccvQiPDyMkCsh7axd5H2DzcAtzN/vi4CbwaJEhT9/p4IF2DhfN7BlIfBa0wQHugXFapTudtv1T9vbakCiJ+qyUd+qw02dvoXp4o1Q1qhQVnwx6G1/gqy1uNM/dTQ/vb1FOAdFjiEN90TiSg1Y2cvlTHOQF81fJPLms8QRSO1xUIMBQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
166.84.7.159) smtp.rcpttodomain=mit.edu smtp.mailfrom=eyrie.org;
dmarc=bestguesspass action=none header.from=eyrie.org; dkim=none (message not
signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=PowvhdM9Zq50OmWlwneS1e2RfytgYc9Rl+XlKP2smIM=;
b=MMrpBNxRn0cLP8BzFIIafzpoAR2TlYHE1rZr9YuQ0XxoNTKYqlh9T1lv1lYkEDkDAuZYjKWfVWnu+1N2JwY8+9PtYZFjaXPDUQIOft0E58NkRadz8pgHq/1xlq6L/kAGO3P1BRSm0E3F7glnKp8i9Ks/FDHtW+eIzus31NDWgeo=
Authentication-Results: spf=pass (sender IP is 166.84.7.159)
smtp.mailfrom=eyrie.org; dkim=none (message not signed)
header.d=none;dmarc=bestguesspass action=none header.from=eyrie.org;
Received-SPF: Pass (protection.outlook.com: domain of eyrie.org designates
166.84.7.159 as permitted sender) receiver=protection.outlook.com;
client-ip=166.84.7.159; helo=haven.eyrie.org; pr=C
In-Reply-To: <1559B81F-2C3B-4445-AF14-D28B9F328A78@prime.gushi.org> (Dan
Mahoney's message of "Tue, 31 May 2022 15:51:39 -0400")
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 27d79b4b-5664-4fec-ff47-08da4340d116
X-MS-TrafficTypeDiagnostic: BL0PR01MB4274:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <BL0PR01MB4274109EEFF9838DDEEB2DD8A6DC9@BL0PR01MB4274.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ibqEiuT7oap3vhjXUSv2xcVLCHiPgO5LjjCoN/nwZrO7aPYDNbZkbKdqgKOzRU1SEKE8QcHDs7YXjVmI2C7EwdvxM+wmNn1fU/tQKwESwidz3TSt6krFBaApO8M+WOWo/A+zIzFiHI08YpuOLjaN4IupcOlPH/onsc7XGmHvKKNNa28wLqcOkWz6MuPU6+3n1OMyqcBjtm9niB0Hy2tR+K7ekXT+MSGQOoOuMMHWXWVRC0J6JpFBP0Md6cA09vSXFpOYrAtYPGIzdJkyzO3iGap36EZsOx08QUKGDbev3DbQOD2KKPK5NxbAwlX4QW1hWEI2Br2lbHgBgxgkzfz5Y4aDTnHMES/Ttktd52hSrURpj4m5mI767h8de2TEQGFuaVLgUbiSQYybq+4FT7zEJ40GJjXiajWZhzTfQSb9IekMK5q3NEcatvLUsl/ZNLhmbF0FlzXPlJbMw0unmW3GfC364VqeVcSLTM2EaFZ711wYec0G/ps88EvrhYEuYjwKRlSnrvqJFgio89V09XxcSlo6PaNWaXS1yR+rGYW1ayM2+DxayZIwTGOw3Eg/6cZsp+2mo5PZxXayG1gnrLtx+SLJ48Ej44rIbXA5yFx+2zFMyf5/6+/ez+RbMiqoOmY/VOqIKZV4u6UtZfGPtRb08nKMv/XfTzycRuhIl+vPGxH7ZFiJ/eLV+xw7IotpGB0F
X-Forefront-Antispam-Report: CIP:166.84.7.159; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:haven.eyrie.org; PTR:haven.eyrie.org; CAT:NONE;
SFS:(13230001)(4636009)(86362001)(7596003)(7636003)(336012)(36916002)(5660300002)(6862004)(68406010)(4326008)(70586007)(426003)(83380400001)(786003)(316002)(42186006)(8676002)(2906002)(26005)(508600001)(6266002)(356005);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 May 2022 20:04:48.9228 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 27d79b4b-5664-4fec-ff47-08da4340d116
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT028.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR01MB4274
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <8735gph3j5.fsf@hope.eyrie.org>
X-Mailman-Original-References: <622B5998-57E0-450C-88C4-96FA04220AB8@prime.gushi.org>
<410be09d-0680-96f9-ef59-599c0a9996e3@mit.edu>
<CALF+FNx1A+rwTEntG7bza1eLZcizk5WpfLQ0QsP8BZH-6zr1pA@mail.gmail.com>
<e2ac1b0e-c77a-2771-bf9c-a5c3195a3f5e@taltos.org>
<1559B81F-2C3B-4445-AF14-D28B9F328A78@prime.gushi.org>
 by: Russ Allbery - Tue, 31 May 2022 20:04 UTC

Dan Mahoney <danm@prime.gushi.org> writes:

> Our userbase is pretty small and systems are overall managed with
> puppet, so that's not a problem for us. We'd need to either disallow
> GSSAPI entirely, or accept that we need to manipulate a dir of k5login
> files outside the users' homedirs.

If you're already willing to manage .k5login files, the search_k5login
option to my PAM module may also work and the whole reason why I started
contributing to that module instead of using Red Hat's (to solve an old
issue that Stanford had).

alt_auth_map is the more precise solution, but it only allows a single
mapping, whereas with search_k5login you can do whatever you want as long
as you populate .k5login accordingly.

> I'll take a directory of k5login files. As an organization we don't
> like pubkey auth because there's no easy central control over users.
> (i.e. pubkey completely sidesteps kerberos. If you have something like
> ldap deployed, that can help, but we don't like the idea of every system
> call like ls -al phoning an LDAP server.)

Yes, at Stanford we disabled public key and required GSS-API for most
things.

--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor