find the authorized principal

[Ken Dreyer]

I have a local system account "git" on my server. In git's home
directory, several usernames are present in ~/.k5login. These accounts
can use GSSAPI to log in with SSH.

I'm interested to keep closer tabs on who is logging into this
account, and maybe doing something with the information using git
hooks. I know that my server's authentication log will contain the
username of the principal that authenticated to the git account:

Authorized to git, krb5 principal kdr...@EXAMPLE.COM (krb5_kuserok)

Is there any way for the git user account itself to find this
information? I was hoping for an environment variable like $KRB5_USER
or something.

- Ken

[Russ Allbery]

Unfortunately, not directly. What we do with our gitolite server is use
the following wrapper around the gitolite hooks to establish the user from
the gitolite perspective:

#!/usr/bin/perl -w
#
# gitolite-wrapper - wrapper file to hand gitolite a kerberos user
#
# Written by Jon Robertson <jonr...@stanford.edu>
# Copyright 2011 Board of Trustees, Leland Stanford Jr. University

use strict;

sub get_principal {
my $klist = `/usr/bin/klist`;
my $principal = '';
foreach my $line (split (/[\r\n]+/, $klist)) {
if ($line =~ /^Default principal: (.+)\@stanford\.edu$/) {
$principal = $1;
$principal =~ tr%/%_%;
}
}

return $principal;
}

my $principal = get_principal;
die "$0: could not find principal name\n" unless $principal;
exec ('/usr/share/gitolite/gl-auth-command', $principal);

This doesn't really help with a regular account, though, and it requires
that you forward tickets, and is in general somewhat unsatisfactory.

I wonder if it would be worth adding an option to the pam-krb5 session
module to set an environment variable containing the authenticated
principal used to access the account.

--
Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/>