-
Title
Cross domain Single Sign On with OS provided OpenSSH -
Description
How do I get cross domain Single Sign On working with OS provided SSH?
-
Cause
The Operating System openSSH considers a local user name to be from the domain that the machine is in.
For example, if HostA is in AD/Kerberos domain example.com, then a user lcluser is considered to be lcluser@example.com (principal)If the user is actually from the sub.example.com domain, their principal is lcluser@sub.example.com.
Then when they log in and GSSAPI runs kuser_ok which tries to tell if the user should be matched and allowed in, the two principals are not the same and the user is denied access.
-
Resolution
The auth_to_local option can be used in the /etc/krb5.conf file to make the match ignore the domain portion.
------------------------------
[realms]
EXAMPLE.COM = {
auth_to_local = RULE:[1:$1@$0](.*@.*EXAMPLE.COM)s/@.*//
auth_to_local = DEFAULT
}------------------------------
The auth_to_local line provides rules for matching an authenticated principal name to a local UNIX name.
These rules are only used if there is no .k5login file in the users UNIX home directory.The DEFAULT entry is equivalent to having no auth_to_local.
The above example will strip the domain portion leaving only the username.
This means that lcluser is considered as lcluser regardless of the domain, so both of the following will work:
lcluser@sub.example.com.
lcluser@example.comFormat of the auth_to_local line:
auth_to_local = RULE:[<ncomps>:<format>](<regex>)s/<regex>/<text>/
Formulate the string on which to perform the operation:
<ncomps> Number of expected components before the realm name e.g username@realm would be 1.
<format> Each component is of the format $<number> to select the nth component with $0 being the realm.e.g
[1:$1@$0] translates to username@realmRule validity:
<regex> Selector regular expressione.g
(.*@.*EXAMPLE.COM) matches EXAMPLE.COM and all subdomains such as sub.example.com.Transform rule
s/<regex./<text>/e.g
s/@.*// will remove the @.EXAMPLE.COM or any subdomain from the principal -
Additional Information
See man krb5.conf for more details on auth_to_local