NFS4 and remote access
Ian Grant
Ian.Grant at cl.cam.ac.uk
Wed Apr 18 15:45:42 EDT 2007
On Wed, 2007-04-18 at 09:07 -0400, Kevin Coffman wrote:
> On 4/18/07, Ian Grant <Ian.Grant at cl.cam.ac.uk> wrote:
> > Dear List,
> >
> > We are wondering how we can best allow remote ssh access to our users
> > if their home directories are mounted using NFSV4 with kerberos
> > authentication.
> >
> > We currently try hard not to expose user passwords to remote systems.
> > So we only allow ssh access using one-time passwords or public keys.
> >
> > If we were to set up ssh so that users could connect using public keys,
> > we would like them to be able to authenticate themselves to NFS without
> > exposing their kerberos key. One idea is to have them use a one-time
> > password to get credentials via a keytab, but securely managing the
> > keytabs would be a problem.
> >
> > Does anyone have a better idea? I would be interested to hear.
> >
> > Ian
>
> Have you considered using Kerberos authentication for ssh and
> forwarding Kerberos credentials? (Assuming this is possible given the
> environment where the users are coming in from.)
Yes, we have had this working from within our own site, where we trust
the machines we manage. I should have been more clear: I meant remote
access from other institutions, cyber-cafe's etc. where we cannot
necessarily trust anything beyond the ssh session. We don't want the
user typing kinit and entering their kerberos key.
More information about the NFSv4
mailing list