[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-nfsv4
Subject:    Re: NFS4 and remote access
From:       "david m. richter" <richterd () citi ! umich ! edu>
Date:       2007-04-18 21:11:11
Message-ID: Pine.BSO.4.64.0704181704460.6710 () citi ! umich ! edu
[Download RAW message or body]

On Wed, 18 Apr 2007, Ian Grant wrote:

> On Wed, 2007-04-18 at 16:17 -0400, J. Bruce Fields wrote:
>> On Wed, Apr 18, 2007 at 09:14:33PM +0100, Ian Grant wrote:
>>> On Wed, 2007-04-18 at 16:03 -0400, Trond Myklebust wrote:
>>>> On Wed, 2007-04-18 at 20:45 +0100, Ian Grant wrote:
>>>>> Yes, we have had this working from within our own site, where we trust
>>>>> the machines we manage. I should have been more clear: I meant remote
>>>>> access from other institutions, cyber-cafe's etc. where we cannot
>>>>> necessarily trust anything beyond the ssh session. We don't want the
>>>>> user typing kinit and entering their kerberos key.
>>>>
>>>> If you don't trust the keyboard that you are using to type with, then
>>>> you cannot enter _any_ passwords that could be reused. The only way to
>>>> deal with that would be use-once passwords (including for the ssh
>>>> session itself).
>>>
>>> Yes. That is why we don't allow password-based ssh authentication. Just
>>> public keys.
>>
>> So you're trusting their private ssh keys to the cybercafe machines that
>> they're logging on from?
>
> Yes. We encourage people to create the private keys remotely and
> transfer the public key over a session they've authenticated using a
> one-time password, and to only allow logins from that host with that
> public key. Then when they are finished they throw away that key.

 	perhaps i'm completely misunderstanding, but you have people 
generate private keys remotely -- like at the cybercafe mentioned above? 
put another way, where are your users' private keys located?  storing
private keys on untrusted computers doesn't work ...

 	d
 	.
_______________________________________________
NFSv4 mailing list
NFSv4@linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic