[32038] in Kerberos
Re: Automatically distributing nfs/ssh host principals
daemon@ATHENA.MIT.EDU (Simon Wilkinson)
Tue Feb 9 15:38:30 2010
Mime-Version: 1.0 (Apple Message framework v1077)
From: Simon Wilkinson <simon@sxw.org.uk>
In-Reply-To: <676A4421-0E1F-47E3-93D2-43248D84753B@mit.edu>
Date: Tue, 9 Feb 2010 17:41:55 +0000
Message-Id: <A7C633B7-D3AC-40D9-9780-48B24F2428AE@sxw.org.uk>
To: Ken Raeburn <raeburn@mit.edu>
Cc: Guillaume Rousse <guillaume.rousse@inria.fr>,
"kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 9 Feb 2010, at 15:24, Ken Raeburn wrote:
> The idea has been kicked around before, and I believe one variant (registering a new host principal over a kadmin session protected by anonymous PKINIT) has been tried out in MIT's current development code.
What we do here is require the input of an administrator principal at installation time to create a hostclient/<hostname> principal. We then use kadmind ACLs to permit hostclient/<hostname> to create */<hostname> principals. This all has the big advantage that it works using the standard kadmind ACL syntax, and we don't need any additional logic.
We're planning on at some point moving over to Russ's wallet code to manage the creation of subsequent principals, and telling it with our configuration database which principals each machine is allowed to have.
>> Moreover, I don't think usurpating another host nfs principal has any
>> interest, and ssh has its own mechanism (host keys) to prevent spoofing.
>
> If you can change the NFS key, you can prevent people from accessing files.
Are these NFS server principals, or keys that are used by NFS clients for host-based trust?
> I don't think Kerberos-enabled SSH uses the SSH-style host keys; I think part of the point was avoiding having to have two authentication mechanisms at work. I could be wrong about that.
SSH supports either GSSAPI user authentication which still uses SSH host keys, and GSSAPI key exchange which doesn't. If you're a Kerberos site, and aren't using key exchange, you either don't have many machines, or you haven't thought hard enough about the problem.
S.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
