Expired passwords and tickets

[Stefan Skoglund]

fre 2011-09-09 klockan 12:35 -0400 skrev Greg Hudson:
> On Fri, 2011-09-09 at 11:38 -0400, Mauricio Tavares wrote:

> 
> > 	Now, talking about the tickets themselves,if user is connected to NFS
> > server and ticket expires, what happens? Are the mountpoints suddenly
> > unreachable?
> 
> That depends on the application and on the library implementation.  In
> AFS, for instance, when your tokens (derived from your tickets) expire,
> you lose access to the filesystem.  That's a deliberate decision by AFS.
> I don't know if NFS makes a similar decision.  The underlying GSSAPI
> library might decide to stop accepting messages when the tickets expire.
> MIT krb5 did that up until version 1.9, but the resulting app behavior
> was typically pretty bad, so as of version 1.9 we no longer check.
> Heimdal doesn't check in any version.
> 
> Note that some application protocols don't use Kerberos or GSSAPI to
> process messages, only to authenticate.  SSH, for instance, uses its own
> crypto protocol to protect the data stream.  Applications like this
> typically won't care about ticket expiry regardless of the underlying
> Kerberos library version.  (The application could query the GSSAPI
> security context for the expiry time, but doing so is pretty rare.)
> 

Im running a system (for learning only) with linux debian clients, an
debian linux KDC and a solaris NFS server (NexentaStor) for providing
home-directories.

The directories is distributed with Kerberos protection ie Kerberos
provided access authorization and data protection as a separate
automount for each.

For example: root on the local machines can't read the mounts.

If the user x session is locked and if the user's NFS ticket is expired
the gnome screensaver unlock functionality won't get access to the X
authorization secret (which is stored in a file in the home directory.)

It unlooks as soon as the user logs into one of the virtual terminals.