From owner-freebsd-hackers@freebsd.org Wed Dec 2 07:10:08 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A9070A3EB2B for ; Wed, 2 Dec 2015 07:10:08 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 8185818BA for ; Wed, 2 Dec 2015 07:10:08 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: by mailman.ysv.freebsd.org (Postfix) id 7FFE8A3EB2A; Wed, 2 Dec 2015 07:10:08 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7F988A3EB29 for ; Wed, 2 Dec 2015 07:10:08 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2651118B9 for ; Wed, 2 Dec 2015 07:10:07 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 12074423-f797f6d0000023d0-9c-565e9819b3b4 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 49.BF.09168.9189E565; Wed, 2 Dec 2015 02:04:57 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id tB274vsx011951; Wed, 2 Dec 2015 02:04:57 -0500 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id tB274rK2024128 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 2 Dec 2015 02:04:56 -0500 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id tB274rFu006230; Wed, 2 Dec 2015 02:04:53 -0500 (EST) Date: Wed, 2 Dec 2015 02:04:53 -0500 (EST) From: Benjamin Kaduk To: Rick Macklem cc: hackers@freebsd.org Subject: Re: NFSv4 details and documentations In-Reply-To: <1162872124.114408327.1449007978859.JavaMail.zimbra@uoguelph.ca> Message-ID: References: <1162872124.114408327.1449007978859.JavaMail.zimbra@uoguelph.ca> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRmVeSWpSXmKPExsUixCmqrCs5Iy7MYEWbjcWGBYUWD5ddY3Jg 8pjxaT6Lx+/Ne5kCmKK4bFJSczLLUov07RK4Ml6ta2IqOMxZsbd7M0sD4yX2LkZODgkBE4ld X5tYIGwxiQv31rN1MXJxCAksZpJ4veYkK4SzgVHi68z/jBDOQSaJKXdXMYO0CAnUSzx+MAOs nUVAS+LexS1gNpuAisTMNxvZQGwRAXWJzav7weqZBcQlFt7rBasRFtCVeLXyDROIzSngK3F3 8Umwel4BR4lJ//YBLeMAmu8j8fu7KkhYVEBHYvX+KSwQJYISJ2c+YYEYqSWxfPo2lgmMgrOQ pGYhSS1gZFrFKJuSW6Wbm5iZU5yarFucnJiXl1qka6aXm1mil5pSuokRFKbsLso7GP8cVDrE KMDBqMTDG8AVFybEmlhWXJl7iFGSg0lJlJd1IlCILyk/pTIjsTgjvqg0J7X4EKMEB7OSCK+X DFCONyWxsiq1KB8mJc3BoiTOO/eLb5iQQHpiSWp2ampBahFMVoaDQ0mC13M6UKNgUWp6akVa Zk4JQpqJgxNkOA/QcDeQGt7igsTc4sx0iPwpRkUpcd4KkIQASCKjNA+uF5xGdjOpvmIUB3pF mDccpIoHmILgul8BDWYCGvzhTzTI4JJEhJRUA6NX+2bV9rbXMRrmymddJu1JtSjarBWXe7yc f5HeOxWNMseXEaHf7vuq/VSqrXzmk1arzPw66nWkxrncXqtHDdLWzteLwmbWtSoY1f30PtMw 5bSy7dvPZ5l3cb8QaDoi9eteqY/4vZqL77eYVNRf+Ft72HxyzafYC9v5zly9pL6otEjuEwvH NCWW4oxEQy3mouJEAHURcHH+AgAA X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2015 07:10:08 -0000 On Tue, 1 Dec 2015, Rick Macklem wrote: > Are you able to explain how sshd is configured to do a kinit for the > user as they ssh into a machine? I had been planning to say something when I caught up on the thread, yes. Slawa and I have a pre-existing disagreement about the nature of "single sign-on" and how kerberos should "most properly" be used, but in the case where one is planning to type one's kerberos password into sshd and authenticate to the system, pam_krb5 should suffice. We use AFS at MIT, not NFS, but still have network homedirs that require kerberos tickets for authentication, so we combine pam_krb5 and pam_afs_session to do the necessary authentication. Unfortunately, I never got the time to properly port that setup from Linux to FreeBSD, so I don't have direct experience with FreeBSD pam configuration for such a setup. There is still the limitation that things like .k5login must be world-readable in order for the login to work, which as I understand it is acceptable for Slawa. I'm not sure what the ordering is between pam and whatever part of the login stack would be actually mounting the home directories, though. Perhaps Slawa has some insight. -Ben