From linux-nfsv4 Wed Apr 18 13:45:52 2007 From: Bernd Schubert Date: Wed, 18 Apr 2007 13:45:52 +0000 To: linux-nfsv4 Subject: Re: NFS4 and remote access Message-Id: <200704181545.53600.bernd-schubert () gmx ! de> X-MARC-Message: https://marc.info/?l=linux-nfsv4&m=117690436610580 On Wednesday 18 April 2007 15:07:32 Kevin Coffman wrote: > On 4/18/07, Ian Grant wrote: > > Dear List, > > > > We are wondering how we can best allow remote ssh access to our users > > if their home directories are mounted using NFSV4 with kerberos > > authentication. > > > > We currently try hard not to expose user passwords to remote systems. > > So we only allow ssh access using one-time passwords or public keys. > > > > If we were to set up ssh so that users could connect using public keys, > > we would like them to be able to authenticate themselves to NFS without > > exposing their kerberos key. One idea is to have them use a one-time > > password to get credentials via a keytab, but securely managing the > > keytabs would be a problem. > > > > Does anyone have a better idea? I would be interested to hear. > > > > Ian > > Have you considered using Kerberos authentication for ssh and > forwarding Kerberos credentials? (Assuming this is possible given the > environment where the users are coming in from.) But isn't that part of the problem? You are somewhere on the world and want to login to the remote system, kerberos is in most of those cases not possible. I think the best idea is to tell sshd to look for public keys not only in $HOME, but somewhere in a local directory. Then when logged in into the kerberized environment the user has to run kinit to get access to his/her $HOME. Bernd _______________________________________________ NFSv4 mailing list NFSv4@linux-nfs.org http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4