From owner-freebsd-hackers@freebsd.org Wed Dec 2 10:07:16 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4B353A3CEDE for ; Wed, 2 Dec 2015 10:07:16 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 33C191294 for ; Wed, 2 Dec 2015 10:07:16 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: by mailman.ysv.freebsd.org (Postfix) id 33846A3CEDB; Wed, 2 Dec 2015 10:07:16 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3318DA3CEDA for ; Wed, 2 Dec 2015 10:07:16 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E42601293 for ; Wed, 2 Dec 2015 10:07:15 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1a44JY-0007ZU-EC; Wed, 02 Dec 2015 13:07:08 +0300 Date: Wed, 2 Dec 2015 13:07:08 +0300 From: Slawa Olhovchenkov To: Benjamin Kaduk Cc: Rick Macklem , hackers@freebsd.org Subject: Re: NFSv4 details and documentations Message-ID: <20151202100708.GJ31314@zxy.spb.ru> References: <1162872124.114408327.1449007978859.JavaMail.zimbra@uoguelph.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2015 10:07:16 -0000 On Wed, Dec 02, 2015 at 02:04:53AM -0500, Benjamin Kaduk wrote: > On Tue, 1 Dec 2015, Rick Macklem wrote: > > > Are you able to explain how sshd is configured to do a kinit for the > > user as they ssh into a machine? > > I had been planning to say something when I caught up on the thread, yes. > > Slawa and I have a pre-existing disagreement about the nature of "single > sign-on" and how kerberos should "most properly" be used, but in the case > where one is planning to type one's kerberos password into sshd and > authenticate to the system, pam_krb5 should suffice. We use AFS at MIT, > not NFS, but still have network homedirs that require kerberos tickets for > authentication, so we combine pam_krb5 and pam_afs_session to do the > necessary authentication. Unfortunately, I never got the time to properly > port that setup from Linux to FreeBSD, so I don't have direct experience > with FreeBSD pam configuration for such a setup. FreeBSD ssh'd use thread emulations by fork, as result Kerberos token got at pam_krb5:auth can't be accessed at pam_krb5:session (for writing in /tmp/krb5cc_UID. Recompile with -DUNSUPPORTED_POSIX_THREADS_HACK resove this issuse (and I can login with kerberos password to host with kerberoized NFSv4 and w/o additional kinit or password sshd to another host. DES against UNSUPPORTED_POSIX_THREADS_HACK, but I am unable to follow his (PAM can change locale setting? ok, this is legally for may PAM's understund -- PAM designed for this. Vulnerability in PAM? In any case, PAM run as root and not chrooted) > There is still the limitation that things like .k5login must be > world-readable in order for the login to work, which as I understand it is > acceptable for Slawa. > > I'm not sure what the ordering is between pam and whatever part of the > login stack would be actually mounting the home directories, though. > Perhaps Slawa has some insight. I am use autofs (automount) for this.