Hello, On Tue, Nov 29, 2016 at 01:37:00PM -0500, Steve Dickson wrote: > The kernel would do an upcall to the user's > creds but they have expired. Now if this > new option is set, rpc.gssd would used > the machine's cred? It seems to me that > would not be too secure. maybe it is not considered secure, but it is still more secure to me than using sec=sys. the problem is, that kerberized home is problem for .k5login file and also for .ssh/authorized_keys. While the .k5login file is accessed with root context (sshd), the authorized_keys is accessed with user context, so login via ssh pubkey is not possible at all. moreover, consider scenario where a user has symlink from his/her home to NFS share, without kerberos ticket, logon process can get stucked until he/she has the ticket. The ticket cannot be created until success logon. > > Consider the following scenario: > > 1) machine has NFS mounted /home using kerberos authentication > > 2) user logs in, sshd creates krb ticket ($HOME/.k5login needs to be world > > readable to allow kerberized access, e.g., using kerberos ticket) > > 3) user stays logged in and krb ticket expires > > 4) kinit to renew ticket produces strange error because $HOME is not > > accessible and a new ticket is not created. > > > > So, I think in this case, I would like to see rpc.gssd uses host keytab while > > user's ticket is not available, which maps to nobody/nogroup, but kinit should > > succeed. > Who is going the kinits in this scenario? the user comes back and wants to issue kinit. Kinit fails due to eperm on anything in $HOME. The user has to log off and on again. > I'm pretty sure sssd will what you are looking for. how this could help me to work around expired tickets? -- Lukáš Hejtmánek -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
