NFS4 and remote access

[Ian Grant]

On Wed, 2007-04-18 at 16:17 -0400, J. Bruce Fields wrote:
> On Wed, Apr 18, 2007 at 09:14:33PM +0100, Ian Grant wrote:
> > On Wed, 2007-04-18 at 16:03 -0400, Trond Myklebust wrote:
> > > On Wed, 2007-04-18 at 20:45 +0100, Ian Grant wrote:
> > > > Yes, we have had this working from within our own site, where we trust
> > > > the machines we manage. I should have been more clear: I meant remote
> > > > access from other institutions, cyber-cafe's etc. where we cannot
> > > > necessarily trust anything beyond the ssh session. We don't want the
> > > > user typing kinit and entering their kerberos key.
> > > 
> > > If you don't trust the keyboard that you are using to type with, then
> > > you cannot enter _any_ passwords that could be reused. The only way to
> > > deal with that would be use-once passwords (including for the ssh
> > > session itself).
> > 
> > Yes. That is why we don't allow password-based ssh authentication. Just
> > public keys.
> 
> So you're trusting their private ssh keys to the cybercafe machines that
> they're logging on from?

Yes. We encourage people to create the private keys remotely and
transfer the public key over a session they've authenticated using a
one-time password, and to only allow logins from that host with that
public key. Then when they are finished they throw away that key.

We have not discovered any user account compromises since we started
this policy, but we had several before we disallowed password
authenticated ssh access. This may just be because we have made it so
hard for people to use external access that many have simply given up.
But the feeling remains that having met with some success we would be
making a backward step if we now tell people to enter their kerberos
passwords.

>From the lack of alternative suggestions I guess there are no obvioous
ones. The nicest solution I can think of is one-time kerberos keys, but
I've never heard of such a thing.