Automatically distributing nfs/ssh host principals

[Guillaume Rousse]

Hello list.

In order to allow our users to set up their own machines for kerberized 
NFS, we deployed a custom CGI application allowing them, once 
autenticated, to create nfs/hostname principals, and extract 
corresponding keytab file. As part of the process, they register 
themselves as owner of those principals, for extracting or deleting them 
later. We thereafter modifed the application to deliver host/hostname 
principals instead, as they allow both NFS and SSH services.

However, this is still a bit painful, as it can't be included in 
automatic installation scenarios, for instance. And requires us to track 
information for each user, which doesn't prove to be very useful. I was 
wondering of the security implication of changing the application 
behaviour to automatically deliver a keytab file containing a 
nfs/hostname principal, creating it if not already existing, 
corresponding to the IP adress of the contacting machine, without any 
kind of autentication. This way, as simple wget/curl/lynx command in 
automated installation would allow to install everything needed.

Of course, this would allow someone able to spoof the IP adress of 
another host to also usurpate its principal for those services, but:
- the application is only accessible from internal network
- our users machines are in a different LAN than our servers
- we use switched LANs, not hubs
This would reduce the spoofing scope to other workstations only.

Moreover, I don't think usurpating another host nfs principal has any 
interest, and ssh has its own mechanism (host keys) to prevent spoofing.

Am I missing something here ?

-- 
BOFH excuse #54:

Evil dogs hypnotised the night shift