Date: Thu, 29 Feb 2024 03:19:27 +0000 From: Lexi Winter <lexi@le-fay.org> To: freebsd-questions@freebsd.org Cc: Rick Macklem <rick.macklem@gmail.com> Subject: NFS, Kerberos and SSH Message-ID: <Zd_3v6NhBlvIDdEJ@ilythia.eden.le-fay.org>
index | next in thread | raw e-mail
[-- Attachment #1 --]
(Rick: i hope you don't mind the Cc:, but i thought you might be able to
offer some input here since you've helped me with Kerberized NFS in the
past.)
hi list,
i recently ran into a problem with NFS, Kerberos and SSH. the system
configuration was like this:
- Kerberos configured with a host ticket in /etc/krb5.keytab
- sshd configured to use Kerberos with GSSAPI authentication enabled
- Kerberized NFS configured with automountd(8) to manage /home
/etc/auto_master:
/home auto_home
/etc/auto_home:
* -nfsv4,sec=krb5p,gssname=host hemlock.eden.le-fay.org:/home/&
the problem is this: when a user tries to log in via ssh, SSH
authenticates the user's Kerberos ticket, then it tries to open a file
called $HOME/.k5login. however, because it does this without the user's
Kerberos ticket, the open fails with EIO, and sshd rejects the login
("authentication failed"):
from sshd -ddd:
NFSv4 error WrongSec: You probably need a Kerberos TGT
fstatat(AT_FDCWD,"/home/lexi/.k5login.d",0x2792356252b0,AT_SYMLINK_NOFOLLOW) ERR#5 'Input/output error'
Failed gssapi-with-mic for lexi from 2001:8b0:aab5:106:3::10 port 63175 ssh2
using a forwardable ticket (ssh -K) does *not* fix the problem, because
sshd is not running with the user's Kerberos credentials at this point.
this behaviour is discussed in this upstream Heimdal ticket:
https://github.com/heimdal/heimdal/issues/368
the upshot is that it's impossible to allow users to log in via
Kerberized SSH while also using Kerberized NFS to mount their home
directories, even though this seems like a configuration that would be
both desirable and common in any environment using Kerberos.
so my first question is: is there a solution / workaround for this?
and my second question is: if the answer is no, what if i provided a
patch for the NFS client to add a new option, like 'fallbackgssname',
which would work like 'allgssname' except that it would only use the
host's Kerberos ticket if there isn't already an existing user-specific
Kerberos ticket? i haven't looked at how difficult this would be to
implement, but it seems like an obvious solution that would fix this
problem.
regards, lexi.
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
iQGzBAABCAAdFiEEuwt6MaPcv/+Mo+ftDHqbqZ41x5kFAmXf970ACgkQDHqbqZ41
x5l5xwwAn8Qokzv8vcJY64g+xjl6VDskWDoH87qvukWN4vxW/A1Hkx64pNdGgqfu
2zG7P92ZN+o+xAqEVes06H/lRyKaIOYuT+qZAysSENYxIdYpj3DSeTWyKs+oqDRI
6CSnGqhI8uOUEIgFtXgz8f3MBnHoXV++XjC2mvv7WCY1LwclDgfFyL91ZF0SthUX
yzQ1SDSTR2RHV9bOqYHkavc1IBxOgMxs3xee3B+YXxJ0eA9PebpUBhHcosL6Qv/u
xGBSUiqTGC3Ndkyse4DZxMP2n9NdwGZvoMgdGfX6H3qDpd6OvD7zvysr8+Rb6+p7
cPH2o3aShvRumPyqvoHOxjVT9hohq8BLwzjPEiqsi3bDrlTmESF5o5WzPYvbALjU
0M6uCvmZpTePNSrNdpYHW3IVLTuNzS4hWYKJWNVbWHB9+x9RBOxNOHUGRAdIGfHY
qQUBE1xhh+NDYYHL8bcP8bB+BTDv3zDY/zDQOqFlqJohkI98ULQBLACv9ygbF8Jx
iD7NXEQh
=Xpj0
-----END PGP SIGNATURE-----
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Zd_3v6NhBlvIDdEJ>