hwauth vs NFS
Frank Cusack
frank+krb at linetwo.net
Wed Nov 10 19:15:44 EST 2010
I'm thinking of having users being able to optionally do an OTP hwauth
to obtain their TGT. Assuming that the require-hwauth flag on a
service principal would mean that the TGT has to have the H flag set in
order to obtain a service ticket, this would require hwauth in order
to use NFS, eg to a specific server that has higher value data. But
in "normal" use against "normal" NFS servers, the user wouldn't have
to use the OTP.
But then "machine credentials", used for root access, wouldn't work
because the KDC won't give a service ticket out when the client gssd
tries to obtain a ticket for root. I need that to work.
The solution I see around this is add some magic to the KDC so that
nfs/* principals get the H flag set on their TGT's. Some nfs/krb5
implementations use root/ or host/, which could be ok but if we do
nfs/ then at least we know the specific usage of this principal.
Does that sound ok or am I missing something obvious? To avoid
adding another flag to the kdb (and risking portability) I could
hardcode this in the KDC, however I then have a different portability
problem.
I'm ok with modifying the KDC to have the require-hwauth meaning that
I need, if it doesn't already have that meaning.
More information about the Kerberos
mailing list