Date: Wed, 2 Dec 2015 13:07:08 +0300 From: Slawa Olhovchenkov <slw@zxy.spb.ru> To: Benjamin Kaduk <kaduk@MIT.EDU> Cc: Rick Macklem <rmacklem@uoguelph.ca>, hackers@freebsd.org Subject: Re: NFSv4 details and documentations Message-ID: <20151202100708.GJ31314@zxy.spb.ru> In-Reply-To: <alpine.GSO.1.10.1512020158390.26829@multics.mit.edu> References: <1162872124.114408327.1449007978859.JavaMail.zimbra@uoguelph.ca> <alpine.GSO.1.10.1512020158390.26829@multics.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 02, 2015 at 02:04:53AM -0500, Benjamin Kaduk wrote: > On Tue, 1 Dec 2015, Rick Macklem wrote: > > > Are you able to explain how sshd is configured to do a kinit for the > > user as they ssh into a machine? > > I had been planning to say something when I caught up on the thread, yes. > > Slawa and I have a pre-existing disagreement about the nature of "single > sign-on" and how kerberos should "most properly" be used, but in the case > where one is planning to type one's kerberos password into sshd and > authenticate to the system, pam_krb5 should suffice. We use AFS at MIT, > not NFS, but still have network homedirs that require kerberos tickets for > authentication, so we combine pam_krb5 and pam_afs_session to do the > necessary authentication. Unfortunately, I never got the time to properly > port that setup from Linux to FreeBSD, so I don't have direct experience > with FreeBSD pam configuration for such a setup. FreeBSD ssh'd use thread emulations by fork, as result Kerberos token got at pam_krb5:auth can't be accessed at pam_krb5:session (for writing in /tmp/krb5cc_UID. Recompile with -DUNSUPPORTED_POSIX_THREADS_HACK resove this issuse (and I can login with kerberos password to host with kerberoized NFSv4 and w/o additional kinit or password sshd to another host. DES against UNSUPPORTED_POSIX_THREADS_HACK, but I am unable to follow his (PAM can change locale setting? ok, this is legally for may PAM's understund -- PAM designed for this. Vulnerability in PAM? In any case, PAM run as root and not chrooted) > There is still the limitation that things like .k5login must be > world-readable in order for the login to work, which as I understand it is > acceptable for Slawa. > > I'm not sure what the ordering is between pam and whatever part of the > login stack would be actually mounting the home directories, though. > Perhaps Slawa has some insight. I am use autofs (automount) for this.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151202100708.GJ31314>