Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 2 Dec 2015 02:04:53 -0500 (EST)
From:      Benjamin Kaduk <kaduk@MIT.EDU>
To:        Rick Macklem <rmacklem@uoguelph.ca>
Cc:        hackers@freebsd.org
Subject:   Re: NFSv4 details and documentations
Message-ID:  <alpine.GSO.1.10.1512020158390.26829@multics.mit.edu>
In-Reply-To: <1162872124.114408327.1449007978859.JavaMail.zimbra@uoguelph.ca>
References:  <1162872124.114408327.1449007978859.JavaMail.zimbra@uoguelph.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 1 Dec 2015, Rick Macklem wrote:

> Are you able to explain how sshd is configured to do a kinit for the
> user as they ssh into a machine?

I had been planning to say something when I caught up on the thread, yes.

Slawa and I have a pre-existing disagreement about the nature of "single
sign-on" and how kerberos should "most properly" be used, but in the case
where one is planning to type one's kerberos password into sshd and
authenticate to the system, pam_krb5 should suffice.  We use AFS at MIT,
not NFS, but still have network homedirs that require kerberos tickets for
authentication, so we combine pam_krb5 and pam_afs_session to do the
necessary authentication.  Unfortunately, I never got the time to properly
port that setup from Linux to FreeBSD, so I don't have direct experience
with FreeBSD pam configuration for such a setup.

There is still the limitation that things like .k5login must be
world-readable in order for the login to work, which as I understand it is
acceptable for Slawa.

I'm not sure what the ordering is between pam and whatever part of the
login stack would be actually mounting the home directories, though.
Perhaps Slawa has some insight.

-Ben



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.GSO.1.10.1512020158390.26829>