Solved: Kerberised NFS

Peter Eriksson peter at ifm.liu.se
Fri Feb 13 03:56:43 EST 2009 

Edward Irvine <eirvine at tpg.com.au> writes:

>On my workstation (and all kerberos clients) I have now inserted:

>a)  "GSSAPIDelegateCredentials yes" parameter into /etc/ssh/ 
>ssh_config, and;
>b)  "forwardable = true" in the [libdefaults] section of /etc/krb/ 
>krb5.conf, and;
>c)  Played around with /etc/krb5/warn.conf so that tickets are  
>automatically renewed.

>The end result is that I now have a TGT on the target, even when I  
>log in to an intermediate machine first.

>I also did a little experiment. After logging in to the target  
>machine, (with the GSSAPIDelegateCredentials working and all), I ran  
>the "kdestroy" command. As expected, my home directory became  
>immediately unreadable until I got a new TGT with the "kinit"  
>command. Cool...

Next you'll discovery the fun side effects of having a Secure NFS'd
home directory (I've been running with that for about a year now).

Most things work just as expected but then there are the warts...

Firefox:
  When Firefox loses access to $HOME (for example if you are away from
  your computer long enough for the ticket to expire) then the Google
  search box will magically stop working. Solution: Restart Firefox.

Thunderbird:
  When Thunderbird loses access to $HOME due to expiring tickets then
  it will you from being able to delete new mail in your IMAP inboxes.
  New mail will show up fine though... Solution: Restart Thunderbird.

xscreensaver:
  When $HOME goes away then xscreensaver will fail you launch the
  password dialog application when you wish to login again (since
  it can't read the .Xauthority file   in your $HOME so it will
  not be allowed access to your X server). Blank window forever...
  Solution: ssh in from another machine and 'kill' xscreensaver.

crontab jobs, Grid Engine Jobs:
  You'd better make sure you have tickets on the machines where they
  are going to start your jobs and that the tickets won't expire
  while the jobs are running. Solution: ?

ssh with S/Key (one time password):
  Sure, you are let in after a successful authentication. But you will
  still need to enter your password to get the ticket - allowing someone
  to sniff it...

- Peter

-- 
-- 
Peter Eriksson <peter at ifm.liu.se>            Phone:    +46 13  28 2786
Computer Systems Manager/BOFH                Cell/GSM: +46 705 18 2786
Physics Department, Linköping University     Room:     Building F, F203

More information about the Kerberos mailing list