in Kerberos
Users home directories in NFS with root_squash and k5login file
daemon@ATHENA.MIT.EDU (Remi FERRAND)
Thu Sep 6 12:28:41 2018
Date: Thu, 6 Sep 2018 18:28:23 +0200 (CEST)
From: Remi FERRAND <firstname.lastname@example.org>
Content-Type: text/plain; charset="utf-8"
I'm using an NFS v4 export (sec=sys with root_squash enabled) to store my users home directories.
I'd like to use a ".k5login" file for a particular user.
My users are authenticating throw SSH using GSS-API, and user "bob@EXAMPLE.ORG" is trying to connect to account "alice@EXAMPLE.ORG".
In Alice's home I do have a k5login file (something like /nfs/home/alice/.k5login) with the following content:
When bob tries to connect as alice, this does not work (I was expecting this to fail).
I've tried to set `k5login_directory` to a local directory in my server's krb5.conf and everything works as expected.
The problem seems that the ssh daemon can't access /nfs/home/alice/.k5login because of the root_squash and the /nfs/home/alice directory permissions (0750).
I'm wondering what is the recommended way to use k5login files with users home stored in NFS filesystems with root_squash option enabled ?
Is that even possible (how ssh daemon can access a k5login file inside an NFS share with root_squash) ?
Kerberos mailing list Kerberos@mit.edu