Edward Irvine <[email protected]> writes: >On my workstation (and all kerberos clients) I have now inserted:
>a) "GSSAPIDelegateCredentials yes" parameter into /etc/ssh/ >ssh_config, and; >b) "forwardable = true" in the [libdefaults] section of /etc/krb/ >krb5.conf, and; >c) Played around with /etc/krb5/warn.conf so that tickets are >automatically renewed. >The end result is that I now have a TGT on the target, even when I >log in to an intermediate machine first. >I also did a little experiment. After logging in to the target >machine, (with the GSSAPIDelegateCredentials working and all), I ran >the "kdestroy" command. As expected, my home directory became >immediately unreadable until I got a new TGT with the "kinit" >command. Cool... Next you'll discovery the fun side effects of having a Secure NFS'd home directory (I've been running with that for about a year now). Most things work just as expected but then there are the warts... Firefox: When Firefox loses access to $HOME (for example if you are away from your computer long enough for the ticket to expire) then the Google search box will magically stop working. Solution: Restart Firefox. Thunderbird: When Thunderbird loses access to $HOME due to expiring tickets then it will you from being able to delete new mail in your IMAP inboxes. New mail will show up fine though... Solution: Restart Thunderbird. xscreensaver: When $HOME goes away then xscreensaver will fail you launch the password dialog application when you wish to login again (since it can't read the .Xauthority file in your $HOME so it will not be allowed access to your X server). Blank window forever... Solution: ssh in from another machine and 'kill' xscreensaver. crontab jobs, Grid Engine Jobs: You'd better make sure you have tickets on the machines where they are going to start your jobs and that the tickets won't expire while the jobs are running. Solution: ? ssh with S/Key (one time password): Sure, you are let in after a successful authentication. But you will still need to enter your password to get the ticket - allowing someone to sniff it... - Peter -- -- Peter Eriksson <[email protected]> Phone: +46 13 28 2786 Computer Systems Manager/BOFH Cell/GSM: +46 705 18 2786 Physics Department, Linköping University Room: Building F, F203
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
