Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

A LISP programmer knows the value of everything, but the cost of nothing. -- Alan Perlis

devel / comp.protocols.kerberos / Re: Using an alternate principal for ssh

SubjectAuthor
o Re: Using an alternate principal for sshCharles Hedrick

1
Re: Using an alternate principal for ssh

<mailman.82.1654029589.8148.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=281&group=comp.protocols.kerberos#281

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: hedr...@rutgers.edu (Charles Hedrick)
Newsgroups: comp.protocols.kerberos
Subject: Re: Using an alternate principal for ssh
Date: Tue, 31 May 2022 20:39:12 +0000
Organization: TNet Consulting
Lines: 34
Message-ID: <mailman.82.1654029589.8148.kerberos@mit.edu>
References: <622B5998-57E0-450C-88C4-96FA04220AB8@prime.gushi.org>
<410be09d-0680-96f9-ef59-599c0a9996e3@mit.edu>
<PH0PR14MB5493E8E04910F6FECB551331AADC9@PH0PR14MB5493.namprd14.prod.outlook.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="3114"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: Greg Hudson <ghudson@mit.edu>, Dan Mahoney <danm@prime.gushi.org>,
"kerberos@mit.edu" <kerberos@mit.edu>
Authentication-Results: mit.edu;
dmarc=pass (p=none dis=none) header.from=rutgers.edu
Authentication-Results: mit.edu; arc=pass
ARC-Seal: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1654029586; cv=pass;
b=Ti+/cWMoHEDESw5RnCfjFOEBMxxtonxSfecUnE1+IfZiMxr64ragU3lZwqsBPzTv4+OP/bZjCE0kLeAM15wSE5Owh5WGq8Vti/9te4Nv/CKqukvvBWH/LcY/CNClfO0rFqKrwJjyZJURmMu97pWAnvjgEkv+7eNg45R6FGkwvVel0u6n1B940S2+XxvXxFcr00UAi4pZrXsJei6253Gj5TtOoetOGvP8yIB7YDMR3gahTkIGoF1dTs+85oy7TjMW/30JdHswW1TBpN7bOpQZR+Ki6xL+Z8CGnxWeThZQHfF36ksQHDhxE9FcetHVr7IMHdXskMwEwsBIvirudSAbVQ==
ARC-Message-Signature: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1654029586;
c=relaxed/relaxed; bh=W8/0thqZS30nAyFVb1SBEdewRziKi6V40ge3ZIz1K18=;
h=From:Subject:Date:Message-ID:Content-Type:MIME-Version;
b=NwzSp5PPtTPp1HNGstA2YApYP2TD06HA1QYn1RJqt0Gn2bfHo4GmJfCeN5xTIaw51rXWVSTNCtoJ4yVezRpfSuvV+YZT5tAPgEMbCy/myun0U4RyJFVem8XVBMGigVl+kZ7lgbEMVZxWsfPVqx5LF9SJQi6DuXmrRwZP0p+KtRPbQSZccw63qrUcud1uIEoijQJrd+4MpuEVAzrpgEGiT2Ka6MwxlpADak13VHDdml1+51DqelkxWmU5tMTE99zod4XrZN4VEaadnA8CR3rxLUiDcM5KI9IV7OslouHLhisZb65pj7FAKt0Ax5rfRSfZoUszRGG73r320bbkBcNAkQ==
ARC-Authentication-Results: i=4; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=h6KzDoz6;
dkim=pass (1024-bit key) header.d=rutgers.edu header.i=@rutgers.edu
header.b=gZU4dMy0; arc=pass
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=h6KzDoz6;
dkim=pass (1024-bit key) header.d=rutgers.edu header.i=@rutgers.edu
header.b=gZU4dMy0
ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=LT2Y3UGZlOtyTldojMzzxtAg+AQVUOVfKY/2a+sXrHk2F8vAfJmW2gutr1Af2eZiNVDOUZ8AGzzTgK66xAlgepIqCECQM/pEXza/pVYDkyqyAd91dAbW09pnoOLvDI2N/PwzeE+bEcNZ8V7tsmD0djfk8xBjD/SSWQoteFcxsmjsGdIUrsZajY8KgNdQDURJ/ajCv03v5BujYP3KA8E6L0nwHW7uw5JDjbF7TUt/+/ObUdnfTXpGKWzLA3cmvEKEJMogGe6ECEvUtYqoRn64dsKe4jkvGp48fSXoJyXRc/dQwJzXFWUM9Bkar4FlGxEM6ByRdaBwM13QdhCdslmZTA==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=W8/0thqZS30nAyFVb1SBEdewRziKi6V40ge3ZIz1K18=;
b=KHzEtpn3VGUnyuC78E6uEBVcHLj5duHV9ZsTPUJwsKjL9GbYfkxaerYGy8y4oWt47LcshGEaxuXlUtg5vK5qh9YqkY1kIGsZYGRI/0+uPfdb5TFKbHK+dZJF6eJRDFZLYn+1//0f4PxK580QPEeWR5EjD0oSq7U8N61tmm7DvLqc3EK1RMxH6oFIxhmLI5M33Zk/kpgaYQVDJyQcC04kWzCQ5CinnkCqPynax8IaZrJdOMTJlX+NYunz6JvSrFuSjTEYQKyefxxR9mHGaQ+0tdvAQeZ9wk2yjo5likamg0Jhl1LEGbl7V3iaFAE4USnTFXytS9y5LhQ9uFQaUCH0mQ==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=none (sender ip is
40.107.223.116) smtp.rcpttodomain=mit.edu smtp.mailfrom=rutgers.edu;
dmarc=pass (p=none sp=none pct=100) action=none header.from=rutgers.edu;
dkim=pass (signature was verified) header.d=rutgers.edu; arc=pass (0 oda=1
ltdi=1 spf=[1,1,smtp.mailfrom=rutgers.edu] dkim=[1,1,header.d=rutgers.edu]
dmarc=[1,1,header.from=rutgers.edu])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=W8/0thqZS30nAyFVb1SBEdewRziKi6V40ge3ZIz1K18=;
b=h6KzDoz6Q1mQGTM0PI63OErfHpzzZqW2L8HdBAp40kqfPXfAWZmaP4rDZw1u7XSfN+pVkZI0hNI5Zf/aBzuewewVXJ0g3Bu95uI/XdbWZvt9lUIuAWgbL5tDyIHljXy2oX+qMq57mZOt+xHEUsR+TK7PaqBQEaWam+5Zm3MnDiI=
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=hqPqslCsVpd0JE8W1fYg85rGNiY1NEmPTrT61ARcUQ0yyGKRgee5FkAwSSKP0h3C6xTV6KMmJH0JB4HYuSDU0IFYGUFbA2HjQkzQxPkx9BMHWf1yIv2Oz+U0NFp3DWPJNEX3TwqlU0+lLFfpLFBkJrcfnFuPnjIHF5gaL6qOyzal5fVYgisFMK4kVOE1s6riy/IQmDK1DVPR40x4V3XYbNpFdxXOyoFPWVxlq5XG9NhoYJfPJ+poUthN3yt63IIsIa2T4XvAoC0pXoohvv3GBulWmX1qsmdvSPG4FeqoS6k+m+Nb+cvZcDbVVdWaXG90K35XYLTmfmxaZHbdR57gKA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=W8/0thqZS30nAyFVb1SBEdewRziKi6V40ge3ZIz1K18=;
b=Q5k3V+elbfHpi0e9zBlUyz5XyDAx8Cf1bkohoEJDeFOu/X/HC6K6e6Ue6KxS6zRDnWAWJpKANouz4nCZbmxXSTBXxw0dqgdFjvvLWMooKSm2fnv9qdRkkbcy+0QmO8VVSlRBRiukWBLbiKQqFRcR/AvyQDWKeYWzkr+eQzp9yX8aCXfQQdi1lW/fhJIBMAbGI+k3c4mb2SMcdEWAL9yq61g8gos/cKhFoIdOgVQDgc0UHpILX/A9J5U3oMB0DxdnRhEoH8vyyECiRHBYuKxPjlv6CBhQz5/9Mr7x0oTqtjGPG2x5ko1CXpxbPYw2QFpXIdgsrOzgZTUuwr9czrZfYQ==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=none (sender ip is
40.107.223.116) smtp.rcpttodomain=mit.edu smtp.mailfrom=rutgers.edu;
dmarc=pass (p=none sp=none pct=100) action=none header.from=rutgers.edu;
dkim=pass (signature was verified) header.d=rutgers.edu; arc=pass (0 oda=1
ltdi=1 spf=[1,1,smtp.mailfrom=rutgers.edu] dkim=[1,1,header.d=rutgers.edu]
dmarc=[1,1,header.from=rutgers.edu])
Authentication-Results: spf=none (sender IP is 40.107.223.116)
smtp.mailfrom=rutgers.edu; dkim=pass (signature was verified)
header.d=rutgers.edu;dmarc=pass action=none header.from=rutgers.edu;
Received-SPF: None (protection.outlook.com: rutgers.edu does not designate
permitted sender hosts)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=n4oI6UbWtkLKGcSLD6wNcvsB6nXG4bU5M1D47bodjsCbUI0Bc6sW5XuX46SWZKc70JkHGow0hZFBn9+KcoMeT+qk/G6Rsa2hwxad7/e49OVnO/BNw5HXr1lMm25mIvZhBIbYisU91LGRKJTqfmGnJv0sAFa6tkhQ5C8BsY1onsK2+xrRX8e+vXaOhgbJg8+RoTkqz1IDhqc08ttRGkquLplc/e+0IYX3ZFg4DgUTuEcwIy36FWjRQdHRhFAWQb/G6n+ZLt+Kj+1th12fyN2xo54/qLQolSrn0qVjWMxmvdK7wDobCKoBBUMrlGrJL5DKFW195o9g/XPHmadJkGajbQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=W8/0thqZS30nAyFVb1SBEdewRziKi6V40ge3ZIz1K18=;
b=PI+PL+gkzJIO8cqlR/kJ8wYFJl8B9jfgwDWnQtJSRIGjbJ4pgNf6Q/QExQGokS/RCnh4Nw733xx43ZzV97KcW+5zgmwV3MQLzrKl18scE52jt3xF6CZfQp2haAFFnKEUA+iyTE5uAg6QfrU4CJfdswEfc5thbci1ZvzOJUG0HUQEIMXbFMBQVOWW6TlskUN8x5SdJ6nJHWDPo9n7W1k2hclbfwbGLGirqzAYiYCJJZBkXlHv+nhRAylqn8Vqbl6Yuzi4DwCau1gLgkVTqgfwhwgS7OSLQnmw4QvkkQy+7kGlpEUOb4EEbCTLbEBI+wBDTIzVAf7ybEpXHGymfIRSFA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=rutgers.edu; dmarc=pass action=none header.from=rutgers.edu;
dkim=pass header.d=rutgers.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rutgers.edu;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=W8/0thqZS30nAyFVb1SBEdewRziKi6V40ge3ZIz1K18=;
b=gZU4dMy0+i3pjmOjymo6XQjHAoyKJzW75FiX0h62nDS5aWFtDvuiM87oXGlTHSmLNQzj6QAeodjjwSu7ZZInpDQ9/ygHiuQUeUihEILOPLtB/iqBxoQs2INOwlSP5hE+nvKppRpqTSks7HrYKT8352OENscz1o5YMIU9IAQW3Lk=
Thread-Topic: Using an alternate principal for ssh
Thread-Index: AQHYdQjshh6IHUKmLEicOIAecw4BbK05WXqAgAAWfkU=
In-Reply-To: <410be09d-0680-96f9-ef59-599c0a9996e3@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: c1b02ab9-3981-8c53-74a2-35ee74a1a688
Authentication-Results-Original: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=rutgers.edu;
X-MS-Office365-Filtering-Correlation-Id: 65da578b-bbef-4d53-1e3d-08da43459fb5
x-ms-traffictypediagnostic: CH2PR14MB3676:EE_|DM6NAM11FT049:EE_|SN6PR01MB3869:EE_
X-Microsoft-Antispam-PRVS: <SN6PR01MB3869A28EACB304443FD3DE8BAADC9@SN6PR01MB3869.prod.exchangelabs.com>
x-ms-exchange-senderadcheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: oWcYkR7ik0+UO/Clp6zINYnJvmky8X95cZFnr/Iq9mmguZZ9gUWY5C1aoYm4R3NzPzrv1kY+OJxDK4p0QKmAQjmWGrkVivMPbPqkMNBASSy7m+CAaICPVceYPey56eRYuIR5bVPSFhuk6wqcj0Qz48YhNvNxe3Mps8SrEg/BFZWQ7b4tgiyKNMvwcf4rs+2yUpGdiCfFIipJSbJRhVai2YK0RKPtbZjrphNy/ZNjK2Zk3NjquR1X2cUVBghe+pIdAh3EVKTBwamZXTqMukKbfwSUzCWX5Jy4f9ooI6iYF3z5AYnkP3R4qbbUTBuA7ifYTwHakab/1DHdqxGkDA0q2ih3CNPN4fEVoQZxzduAEsvKGx8kFYAiyPdDOY38xr510B4AsDayT5NDMiJ824gm+NKWK97Cj+Rr+oV4w0sua83wmAO2YlQBXjfIvGSPY6Dt48B3wsl2Q7QvOXbBV/os+f2t+DUEf2/3n1/nBsboi+lWosDN/3sQgBT7YUC/euif2/5+uU/199iMvTXUNde6FRfR4ETIfJdy+wg6aav7IlWBQrgnafHo6FNWzZ8fNF27mDpIapIoj087SHX7jeSqLIYl5FK4bsU76we2esH2bHcL68HyYpTwKDJQhz2V8tKlMBY8SubqstsjpbuMKTNtHQy1yuN9VOq1esXiuPsvao67fKfPXb7H88anQQRLSzlw17DACKCh4lE9Lro9uK05Q5alGOhnmdX8ach9jSv1DwKLBHdMC9oC0BgAZZSf3pvfoAAjC4Sx+CJnW/5dPfnlMiweBqXQ6vJBPVJEtemHTi4=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en;
SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR14MB5493.namprd14.prod.outlook.com;
PTR:; CAT:NONE;
SFS:(13230001)(4636009)(366004)(53546011)(75432002)(6506007)(38070700005)(110136005)(786003)(316002)(166002)(19627405001)(7696005)(2906002)(83380400001)(66946007)(186003)(8936002)(86362001)(508600001)(966005)(8676002)(64756008)(66446008)(66476007)(66556008)(5660300002)(55016003)(33656002)(91956017)(76116006)(71200400001)(9686003)(38100700002)(122000001)(52536014)(26005);
DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-Original-0: 1A/bI9IQ96eeTxMAxV0DZp6YLnfu6G5jQmo7zj9s/iH4tS9mDedC2AuX5OBP
v60p+dO0DzPbu29VtU3ODyPQytrSSWCck6wMjd8xtOYRXCwNgcwpQRjPpm8b
FUEXpRfgadACw46sPgkWM9sQF5AVHOYeuDLOs9poJoYw9IqWax3LZFLoXdFz
ZIpW1j8KMk0ygK+mLDFoqXw114mfnEBqvpGppiTsQFasyY22HXOceRvkhJw6
rWXlDkFPpPPHtA77S5wYKotlwSPtZdFJdJAsEVQVWCyvHdv5LYYHjuMqWLdA
+YDx3Or2IkwuVJdQzMRXrj2a01wyhKsPXyk8qO4NiJaK9ivMKdcMDxMnnOvw
7/jGgLz69ezMzUr2JVfjYMy1W+3/ATiVt+/dJ8qoKWh7C4mfg9yei0qz5xJR
Amxp5HADoQo7qDWKyibiL9mXVrFLfpdcsVxY23Vj25Lu9i84oHnMx17H82/E
GpaN5GiJXrZ7527TYFr0FHLhlXpC8RZ1cTH8NgctsZCDP0s0Ezy35K2kOH0w
7ny9mgP2aa77UHOfdlJAomW/undqBsG9v3hhx5bMF0ITof7vifwPW6O/9nqI
nHrd/fQeiot3OAP1vXFOTe+LILoFJISNPs2jGjg0wrhkGMfuo3RHvVjNeu7X
FgsT5QFTYKN7o3fLnOpMViBVPCPE5hjPudDsqpBh/GnrIy1+t9laEHxfXYbm
Mpw/37Cyw1PlVz8C8SARQEDrFvxBLluhUEi4z3lMiQOxVbLSDU+V4JO0kQpI
eUsNOzBRxCo8uhlbmaLTsFfDGhN3I2cFKUsVjZlJH1BUT+VDnTaFmaEqfoV3
GTTlhL+gN2HdfxaBJvoGb31BP1Hq+IsJ7L/o0Q8K0ujm+bu/h1oL48VkZIxb
zGH19V6Va+W9i9sj782ASp+sHzZCY95S8HpZU/Z7ICHzouHrNANBouqX3y3L
Kw7bytnGnbN1qnoM0yZEMw0Vt1KUIzkjn7QimQuHhsjIpAs0WLtpN/ziyTEb
Z7ucX8M+swHlwze/tatJghB/sK3ft6b4j/VPbBSpEfkvWk5AkAYhCtRGQJu9
yBwzy0J0SxzhuC1+vI3PEfd8G2FBA3K5pMFBbptyhuuDEcRAkB7DZ3oVJLHw
iAnp4PDC2m+beISDCnQNmXflAF1mcBAUAvgOx1QXD/dtXt7uppYSCm6j/jhE
3OHpNaXO1MuNXQC7Kj5N1dMZbHx9Mu7Xs9j7rEww+cbuO6/nOI8OIi48rGXL
mmVGZiN0BHu4pnSfbxI/vgjqdgN8gu1756b8pGmpxFRF+yJEcY65ClUq22xv
uzJoL/cU7zmrLoCVJ/Rjz2HXsqfOgzeh/tt9Ch/FgB21nLNy18yxGqlBHwe8
54527Ay3BRVpDfNSWgfdFnU/4aqa4qJafB/mkfeh9/NL3luD7k8PaRqcnKmV
GaKe/AdQVDW/cIUklGL8kEVSoSE6lkPtYNZERAlnm7ZY5Rdh51DOJJVSqIGO
0jONIdhTFllAj4+7qufUKPOUPDI8ObPMJYeOewk4BQqQ5JeuBIcdelpbinDr
k5Qg7GQfH+8oYlnwSAqpzdWTW1uK9kEI1xPeZoF0ME7yifFt7xV36nSa7KKb
Nuk9moQVsHtE11a2d2xL3s/XxIxwozL/NcSusbhl3OKrnkBndXqobsbuRucW
3effpxIixmfPxKNfQDk6T9+/du/szdODRSyNjo/hcbFx5LvONWuDRtaEZSH4
owGZn8ECAw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR14MB3676
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DM6NAM11FT049.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: DM6NAM11FT049.eop-nam11.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: c2d5be63-d275-4654-f791-08da43459ef9
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: QNh7/CY8+UM5uvarynzR4jZ4S/Q57uMSLBVDh/UvP8Ddv9rHM9Gm5tGkDeUujJowMDJg34zMgr2kXqPbF0niM6pyYthll6UfJQsYTDUOyZJ5XNGRdTI9Re8TuBGJv6DBEiC+WAEwkpwH+VNca5h5TMVO2Nj7feLQ/6MZbZUyx23kj/YfdE5K/9f4GiKoXiQgbKoUNayoGNW/bNmsdUrP5xOJWOCVMBTc8IKs4HeQkKqdxJWZqQBqnjEiDYqLTk0gKPmb2UZm0Be8v1PqMtcQp5BnYa/HByl0OxDfJ0Yyz7MOfG0NoLuX+FLd915TfRrMKVCtxqVs3w6P3h4ijQL12360YGWapXYDkvWCaKOy18jZAov5jolYVlpgndkWnNR4twk5sO+X29Bh98kNrrKgBnGEv7mnqAPxGeRj0MXqrNLWemSKX7tfPK/KdCRLqsha7n3qwjjtESP3ENi00gm6xjkmefjLvE2bf0k2cyrlU/p9DKLc3GbABlONpFHlkY0lprPrO9jjnHXl5CplSK+jX3FVd2V6ynvyZc/QRST2mVw6lJNxgDqmnw22AqHv+QT/ohE7aSWqxWXAcEYlrCZ8MC+uVaNu+ZyejLGSJOCaEEuQ0rReKPS0aJIh69dEmUIjSrQYPel+3tr9kAZBxq+mqnwa1pBQwMJuDYnQCpxlng9wLoeFd4UYq6rkTfPGTYFU
X-Forefront-Antispam-Report: CIP:40.107.223.116; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:NAM11-DM6-obe.outbound.protection.outlook.com;
PTR:mail-dm6nam11on2116.outbound.protection.outlook.com; CAT:NONE;
SFS:(13230001)(4636009)(7636003)(55016003)(786003)(356005)(52536014)(508600001)(33656002)(5660300002)(83380400001)(9686003)(336012)(83300400002)(83280400002)(83310400002)(83320400002)(83290400002)(966005)(75432002)(2906002)(26005)(6506007)(7696005)(86362001)(53546011)(68406010)(70586007)(8676002)(19627405001)(166002)(110136005)(316002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 May 2022 20:39:13.6973 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 65da578b-bbef-4d53-1e3d-08da43459fb5
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT049.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB3869
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <PH0PR14MB5493E8E04910F6FECB551331AADC9@PH0PR14MB5493.namprd14.prod.outlook.com>
X-Mailman-Original-References: <622B5998-57E0-450C-88C4-96FA04220AB8@prime.gushi.org>
<410be09d-0680-96f9-ef59-599c0a9996e3@mit.edu>
 by: Charles Hedrick - Tue, 31 May 2022 20:39 UTC

Kerberos uses a plugin to determine which principal is used in a given situation. You could write a plugin that forces the principal to user/ssh if the service is ssh. The API isn't complex. There are several examples.

You'd write the code to check if the service is ssh. If so, you'd look for a cache collection with user/ssh (there's an API call to do that). If so, return that cache collection. If not return authoritative not found. If it's not ssh, return the code that causes it to defer to other plugins.
________________________________
From: Kerberos <kerberos-bounces@mit.edu> on behalf of Greg Hudson <ghudson@mit.edu>
Sent: Tuesday, May 31, 2022 3:08 PM
To: Dan Mahoney <danm@prime.gushi.org>; kerberos@mit.edu <kerberos@mit.edu>
Subject: Re: Using an alternate principal for ssh

On 5/31/22 12:05, Dan Mahoney wrote:
> On most of our boxes, ssh is the ONLY kerberized app, but there's no provision in krb5.conf to say what the default principal based on a username is.. None of the PAM modules seem to be able to set it, either. I conjured up an elaborate way to do this by forcing the .k5logindir to be something the users couldn't touch, and forcing a create for each user, but this doesn't help the password case.
>
> Does anyone know of a simple way to accomplish this? There are some clients, like mobile ones, where, VPN or no, kinit'ing is not an option.

The OpenSSH sshd code decides the principal name, not libkrb5. Looking
at the OpenSSH auth-krb5.c, I don't think there's any configurability;
it picks a principal name of
authctxt->pw->pw_name (except on AIX), parses that, and calls
krb5_get_init_creds_password().
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor