Expired passwords and tickets
Stefan Skoglund
Stefan.Skoglund at agj.net
Tue Sep 20 09:13:16 EDT 2011
fre 2011-09-09 klockan 12:35 -0400 skrev Greg Hudson:
> On Fri, 2011-09-09 at 11:38 -0400, Mauricio Tavares wrote:
>
> > Now, talking about the tickets themselves,if user is connected to NFS
> > server and ticket expires, what happens? Are the mountpoints suddenly
> > unreachable?
>
> That depends on the application and on the library implementation. In
> AFS, for instance, when your tokens (derived from your tickets) expire,
> you lose access to the filesystem. That's a deliberate decision by AFS.
> I don't know if NFS makes a similar decision. The underlying GSSAPI
> library might decide to stop accepting messages when the tickets expire.
> MIT krb5 did that up until version 1.9, but the resulting app behavior
> was typically pretty bad, so as of version 1.9 we no longer check.
> Heimdal doesn't check in any version.
>
> Note that some application protocols don't use Kerberos or GSSAPI to
> process messages, only to authenticate. SSH, for instance, uses its own
> crypto protocol to protect the data stream. Applications like this
> typically won't care about ticket expiry regardless of the underlying
> Kerberos library version. (The application could query the GSSAPI
> security context for the expiry time, but doing so is pretty rare.)
>
Im running a system (for learning only) with linux debian clients, an
debian linux KDC and a solaris NFS server (NexentaStor) for providing
home-directories.
The directories is distributed with Kerberos protection ie Kerberos
provided access authorization and data protection as a separate
automount for each.
For example: root on the local machines can't read the mounts.
If the user x session is locked and if the user's NFS ticket is expired
the gnome screensaver unlock functionality won't get access to the X
authorization secret (which is stored in a file in the home directory.)
It unlooks as soon as the user logs into one of the virtual terminals.
More information about the Kerberos
mailing list