[30717] in Kerberos
Re: Solved: Kerberised NFS
daemon@ATHENA.MIT.EDU (Peter Eriksson)
Fri Feb 13 12:19:59 2009
From: Peter Eriksson <peter@ifm.liu.se>
Date: Fri, 13 Feb 2009 08:56:43 +0000 (UTC)
Message-ID: <gn3ckb$2e4$1@news.lysator.liu.se>
X-Complaints-To: root@lysator.liu.se
To: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============1096607639=="
Errors-To: kerberos-bounces@mit.edu
--===============1096607639==
Edward Irvine <eirvine@tpg.com.au> writes:
>On my workstation (and all kerberos clients) I have now inserted:
>a) "GSSAPIDelegateCredentials yes" parameter into /etc/ssh/
>ssh_config, and;
>b) "forwardable = true" in the [libdefaults] section of /etc/krb/
>krb5.conf, and;
>c) Played around with /etc/krb5/warn.conf so that tickets are
>automatically renewed.
>The end result is that I now have a TGT on the target, even when I
>log in to an intermediate machine first.
>I also did a little experiment. After logging in to the target
>machine, (with the GSSAPIDelegateCredentials working and all), I ran
>the "kdestroy" command. As expected, my home directory became
>immediately unreadable until I got a new TGT with the "kinit"
>command. Cool...
Next you'll discovery the fun side effects of having a Secure NFS'd
home directory (I've been running with that for about a year now).
Most things work just as expected but then there are the warts...
Firefox:
When Firefox loses access to $HOME (for example if you are away from
your computer long enough for the ticket to expire) then the Google
search box will magically stop working. Solution: Restart Firefox.
Thunderbird:
When Thunderbird loses access to $HOME due to expiring tickets then
it will you from being able to delete new mail in your IMAP inboxes.
New mail will show up fine though... Solution: Restart Thunderbird.
xscreensaver:
When $HOME goes away then xscreensaver will fail you launch the
password dialog application when you wish to login again (since
it can't read the .Xauthority file in your $HOME so it will
not be allowed access to your X server). Blank window forever...
Solution: ssh in from another machine and 'kill' xscreensaver.
crontab jobs, Grid Engine Jobs:
You'd better make sure you have tickets on the machines where they
are going to start your jobs and that the tickets won't expire
while the jobs are running. Solution: ?
ssh with S/Key (one time password):
Sure, you are let in after a successful authentication. But you will
still need to enter your password to get the ticket - allowing someone
to sniff it...
- Peter
--
--
Peter Eriksson <peter@ifm.liu.se> Phone: +46 13 28 2786
Computer Systems Manager/BOFH Cell/GSM: +46 705 18 2786
Physics Department, Linköping University Room: Building F, F203
--===============1096607639==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1096607639==--
