Your can still authenticate with SSH keys, but to access any NFS 4 shares
they will need a Kerberos ticket, which can be obtained via a 'kinit' after
logging in. I forget what the default timeout is but they do expire, and at
that point access to those shares (by a user or process acting as that
user) will not be allowed. You may increase the timeout to something
comfortable. We have a solution where we have tickets set at a day and a
login script prompts for the password ( actually just runs kint ) for the
user if their ticket is expired, which covers interactive login, however it
does break scp unless they login first. For us it hasn't come up enough to
warrent coming up with another solution.

Note this is for sec=krb*, you can do nfs4 sec=sys and get no extra
security but other features of v4, and mount as normal.

-Anon
On Apr 28, 2016 5:09 PM, "Prasun Gera" <prasun.g...@gmail.com> wrote:

>
>
>> Moreover, if you login through an SSH key, you don't get a ticket on
>> login and you can't kinit, so you can't access any network resources
>> anyway..
>>
>>
> A bit off topic, but a related question:
> How does nfsv4 work with ssh keys ? Does it mean that you can't use ssh
> keys if /home is nfsv4 mounted ? I had tried nfsv4 briefly, but had some
> issues, and didn't look it in too much detail. Also, is it possible to use
> nfsv4 home in an HPC cluster environment where something like torque or
> slurm schedules jobs ? For nfsv3, I suppose the workload manager runs as
> the user, and hence it can read/write to the user's directory. Would it
> still be possible to do that in an nfsv4 system ? How would renewals happen
> for long running jobs without any user interaction ?
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to