NFS4 and remote access
Mike Eisler
email2mre-linuxv4 at yahoo.com
Wed Apr 18 11:36:07 EDT 2007
> -----Original Message-----
> From: Ian Grant [mailto:Ian.Grant at cl.cam.ac.uk]
> Sent: Wednesday, April 18, 2007 1:51 AM
> To: nfsv4
> Cc: Ian.Grant at cl.cam.ac.uk
> Subject: NFS4 and remote access
>
> Dear List,
>
> We are wondering how we can best allow remote ssh access to our users
> if their home directories are mounted using NFSV4 with kerberos
> authentication.
>
> We currently try hard not to expose user passwords to remote systems.
> So we only allow ssh access using one-time passwords or public keys.
>
> If we were to set up ssh so that users could connect using
> public keys,
> we would like them to be able to authenticate themselves to
> NFS without
> exposing their kerberos key. One idea is to have them use a one-time
> password to get credentials via a keytab, but securely managing the
> keytabs would be a problem.
>
> Does anyone have a better idea? I would be interested to hear.
Kerberos has a concept of forwardable ticket granting tickets.
I don't know if the ssh you are using supports
Kerberos-based authentication and/or forward TGTs. The idea
is though that the the forwarded TGT is sent, securely, from the
ssh client to the ssh server. The TGT is then used to
get Kerberos service tickets on the NFS client to access the NFS
server.
Slides 7-10 of http://www.connectathon.org/talks97/eisler1.pdf
explain this better (I hope). The example in slide 10
uses Kerberized telnet with the capability to forward TGTs.
Googling for
SSH forwardable TGY
produces plenty of hits, so it seems like this is doable, or
people are thinking about it.
>
> Ian
> _______________________________________________
> NFSv4 mailing list
> NFSv4 at linux-nfs.org
> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
>
More information about the NFSv4
mailing list