On 13/05/2011, at 5:22 PM, Jim Basney wrote:
> One aspect of this issue is letting GSS-API choose the target username.
> For example, in TeraGrid my username is different across the different
> sites, and I rely on an OpenSSH patch to allow the client to specify an
> empty string as username. Quoting RFC 4462:
>
> The user name may be an empty string if it can be deduced from the
> results of the GSS-API authentication.
>
> This way I don't need to remember what my username is at each site. I
> just let GSS-API take care of it. The OpenSSH bug about it, with a patch
> I attached in 2006, is here:
>
> https://bugzilla.mindrot.org/show_bug.cgi?id=1100
Ah, that's interesting. Currently our patches to OpenSSH use a new API, gss_authorize_localname(), in order to match the Unix and GSS names (this replaces the call to krb5_kuserok()). With the approach you mention, we could use gss_get_name_attribute("local-login-user") to retrieve the local login name.
Of course, this is somewhat tangential to Jason's question.
-- Luke
|