[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-nfsv4
Subject:    Re: NFS4 and remote access
From:       Bernd Schubert <bernd-schubert () gmx ! de>
Date:       2007-04-18 13:45:52
Message-ID: 200704181545.53600.bernd-schubert () gmx ! de
[Download RAW message or body]

On Wednesday 18 April 2007 15:07:32 Kevin Coffman wrote:
> On 4/18/07, Ian Grant <Ian.Grant@cl.cam.ac.uk> wrote:
> > Dear List,
> >
> > We are wondering how we can best allow remote ssh access to our users
> > if their home directories are mounted using NFSV4 with kerberos
> > authentication.
> >
> > We currently try hard not to expose user passwords to remote systems.
> > So we only allow ssh access using one-time passwords or public keys.
> >
> > If we were to set up ssh so that users could connect using public keys,
> > we would like them to be able to authenticate themselves to NFS without
> > exposing their kerberos key. One idea is to have them use a one-time
> > password to get credentials via a keytab, but securely managing the
> > keytabs would be a problem.
> >
> > Does anyone have a better idea? I would be interested to hear.
> >
> > Ian
>
> Have you considered using Kerberos authentication for ssh and
> forwarding Kerberos credentials?  (Assuming this is possible given the
> environment where the users are coming in from.)

But isn't that part of the problem? You are somewhere on the world and want to 
login to the remote system, kerberos is in most of those cases not possible.

I think the best idea is to tell sshd to look for public keys not only in 
$HOME, but somewhere in a local directory. Then when logged in into the 
kerberized environment the user has to run kinit to get access to his/her 
$HOME.

Bernd
_______________________________________________
NFSv4 mailing list
NFSv4@linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
[prev in list] [next in list] [prev in thread] [next in thread]