Ok,
Then according to the Wiki docs that's RADIUS AVP 89 (i.e. Chargeable-User-Identity). Lovely. Now it's starting to make sense.
Thank you, Sam!
Stefan
-----Original Message-----
From: Sam Hartman [mailto:[log in to unmask]]
Sent: 16 May 2013 15:28
To: Paetow, Stefan (DLSLtd,RAL,DIA)
Cc: [log in to unmask]
Subject: Re: Is RADIUS attribute User-Name still required for SSH?
>>>>> "Stefan" == Stefan Paetow <[log in to unmask]> writes:
Stefan> Ok, That's interesting. So if neither CUI nor User-Name are
Stefan> set, but the authorization and authentication succeeded,
Stefan> that's acceptable? Which of the two attributes is used for
Stefan> local user mapping (i.e. for home directories in an SSH
Stefan> context) - I assume (based on the Wiki docs) it should be
Stefan> User-Name?
In the case of ssh, neither. Whatever username is passed in as the service request username (-l option to ssh command) is used. The code calls gss_userok to ask the question of whether the initiator identity is permitted to log into that account.
The Moonshot mechanism allows shibboleth to map whatever the administrator configures to the local-login-user shibboleth attribute.
That shibboleth attribute can be used to control ssh access.
--Sam
--
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
|