>>>>> "Stefan" == Stefan Paetow <[log in to unmask]> writes:
Stefan> Ok, That's interesting. So if neither CUI nor User-Name are
Stefan> set, but the authorization and authentication succeeded,
Stefan> that's acceptable? Which of the two attributes is used for
Stefan> local user mapping (i.e. for home directories in an SSH
Stefan> context) - I assume (based on the Wiki docs) it should be
Stefan> User-Name?
In the case of ssh, neither. Whatever username is passed in as the
service request username (-l option to ssh command) is used. The code
calls gss_userok to ask the question of whether the initiator identity
is permitted to log into that account.
The Moonshot mechanism allows shibboleth to map whatever the
administrator configures to the local-login-user shibboleth attribute.
That shibboleth attribute can be used to control ssh access.
--Sam
