[38328] in Kerberos

home help back first fref pref prev next nref lref last post

Users home directories in NFS with root_squash and k5login file

daemon@ATHENA.MIT.EDU (Remi FERRAND)
Thu Sep 6 12:28:41 2018

Date: Thu, 6 Sep 2018 18:28:23 +0200 (CEST)
From: Remi FERRAND <remi.ferrand@cc.in2p3.fr>
To: kerberos@mit.edu
Message-ID: <1494818508.306091909.1536251303472.JavaMail.zimbra@cc.in2p3.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit

Hi everyone,

I'm using an NFS v4 export (sec=sys with root_squash enabled) to store my users home directories.
I'd like to use a ".k5login" file for a particular user.

My users are authenticating throw SSH using GSS-API, and user "bob@EXAMPLE.ORG" is trying to connect to account "alice@EXAMPLE.ORG".
In Alice's home I do have a k5login file (something like /nfs/home/alice/.k5login) with the following content:

```
alice@EXAMPLE.ORG
bob@EXAMPLE.ORG
```

When bob tries to connect as alice, this does not work (I was expecting this to fail).
I've tried to set `k5login_directory` to a local directory in my server's krb5.conf and everything works as expected.

The problem seems that the ssh daemon can't access /nfs/home/alice/.k5login because of the root_squash and the /nfs/home/alice directory permissions (0750).


I'm wondering what is the recommended way to use k5login files with users home stored in NFS filesystems with root_squash option enabled ?
Is that even possible (how ssh daemon can access a k5login file inside an NFS share with root_squash) ?

Thanks

Cheers

RĂ©mi

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home help back first fref pref prev next nref lref last post