On 08/21/2013 07:09 PM, Ben H wrote: > Are you stating that ssh (the application) is likely presenting whatever > an 'id -un'/whoami provides and that whatever it is presenting must > equal our "match" ?
Looking at the OpenSSH server code, I think it presents whatever local username the client asked for, without looking it up in the passwd database. > In other words - krb5_kuserok isn't just looking up (via getpwnam()?) to > confirm if it can find a user with that name, but the system has to > return the user in a format that is equivalent to the match? krb5_kuserok doesn't look up the local username in the passwd database at all (well, except to find the .k5login file). It just compares the output of aname-to-lname mapping against the local username string it was handed. > 1) [1:$1] search for a domain name in the string and if none found, > simply output $1 as the whole sting > 2) [1:$0\$1] search for a domain name in the string, and if found, > output as DOMAIN\$1 > > Whether or not the above *might* work is dependent on the rule > processing order. Do all rules get processed, or once one matches does > it exit? Once one rule matches, that's it. aname-to-lname translation can only yield one result. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
