Date: Wed, 2 Dec 2015 02:04:53 -0500 (EST) From: Benjamin Kaduk <kaduk@MIT.EDU> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: hackers@freebsd.org Subject: Re: NFSv4 details and documentations Message-ID: <alpine.GSO.1.10.1512020158390.26829@multics.mit.edu> In-Reply-To: <1162872124.114408327.1449007978859.JavaMail.zimbra@uoguelph.ca> References: <1162872124.114408327.1449007978859.JavaMail.zimbra@uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 1 Dec 2015, Rick Macklem wrote: > Are you able to explain how sshd is configured to do a kinit for the > user as they ssh into a machine? I had been planning to say something when I caught up on the thread, yes. Slawa and I have a pre-existing disagreement about the nature of "single sign-on" and how kerberos should "most properly" be used, but in the case where one is planning to type one's kerberos password into sshd and authenticate to the system, pam_krb5 should suffice. We use AFS at MIT, not NFS, but still have network homedirs that require kerberos tickets for authentication, so we combine pam_krb5 and pam_afs_session to do the necessary authentication. Unfortunately, I never got the time to properly port that setup from Linux to FreeBSD, so I don't have direct experience with FreeBSD pam configuration for such a setup. There is still the limitation that things like .k5login must be world-readable in order for the login to work, which as I understand it is acceptable for Slawa. I'm not sure what the ordering is between pam and whatever part of the login stack would be actually mounting the home directories, though. Perhaps Slawa has some insight. -Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.GSO.1.10.1512020158390.26829>