NFS4 and remote access
Ian Grant
Ian.Grant at cl.cam.ac.uk
Wed Apr 18 16:14:33 EDT 2007
On Wed, 2007-04-18 at 16:03 -0400, Trond Myklebust wrote:
> On Wed, 2007-04-18 at 20:45 +0100, Ian Grant wrote:
> > Yes, we have had this working from within our own site, where we trust
> > the machines we manage. I should have been more clear: I meant remote
> > access from other institutions, cyber-cafe's etc. where we cannot
> > necessarily trust anything beyond the ssh session. We don't want the
> > user typing kinit and entering their kerberos key.
>
> If you don't trust the keyboard that you are using to type with, then
> you cannot enter _any_ passwords that could be reused. The only way to
> deal with that would be use-once passwords (including for the ssh
> session itself).
Yes. That is why we don't allow password-based ssh authentication. Just
public keys. As I said in my message, we could lash up a one-time
password system, but that would need to have a cache (keytab) of user's
kerberos keys. I was wondering what alternatives there are. Do people
just use their kerberos keys and cross their fingers?
More information about the NFSv4
mailing list