[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-nfsv4
Subject: Re: NFS4 and remote access
From: "david m. richter" <richterd () citi ! umich ! edu>
Date: 2007-04-18 21:11:11
Message-ID: Pine.BSO.4.64.0704181704460.6710 () citi ! umich ! edu
[Download RAW message or body]
On Wed, 18 Apr 2007, Ian Grant wrote:
> On Wed, 2007-04-18 at 16:17 -0400, J. Bruce Fields wrote:
>> On Wed, Apr 18, 2007 at 09:14:33PM +0100, Ian Grant wrote:
>>> On Wed, 2007-04-18 at 16:03 -0400, Trond Myklebust wrote:
>>>> On Wed, 2007-04-18 at 20:45 +0100, Ian Grant wrote:
>>>>> Yes, we have had this working from within our own site, where we trust
>>>>> the machines we manage. I should have been more clear: I meant remote
>>>>> access from other institutions, cyber-cafe's etc. where we cannot
>>>>> necessarily trust anything beyond the ssh session. We don't want the
>>>>> user typing kinit and entering their kerberos key.
>>>>
>>>> If you don't trust the keyboard that you are using to type with, then
>>>> you cannot enter _any_ passwords that could be reused. The only way to
>>>> deal with that would be use-once passwords (including for the ssh
>>>> session itself).
>>>
>>> Yes. That is why we don't allow password-based ssh authentication. Just
>>> public keys.
>>
>> So you're trusting their private ssh keys to the cybercafe machines that
>> they're logging on from?
>
> Yes. We encourage people to create the private keys remotely and
> transfer the public key over a session they've authenticated using a
> one-time password, and to only allow logins from that host with that
> public key. Then when they are finished they throw away that key.
perhaps i'm completely misunderstanding, but you have people
generate private keys remotely -- like at the cybercafe mentioned above?
put another way, where are your users' private keys located? storing
private keys on untrusted computers doesn't work ...
d
.
_______________________________________________
NFSv4 mailing list
NFSv4@linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic