Hi, this is from a discussion I had with Samba developer Andrew Bartlett. We were discussing usage of the Heimdal kerberos module hdb-ldap when it turned out that both of us have the same idea on what to use for - LTSP. What do you guys think of the ideas presented here? Has anyone used LTSP and kerberos together?
10:29 <tarjei> one of my motivations for doing this is to use it with linux thin clients 10:30 <tarjei> this means that the box will boot from a nfs root. Do you think this will pose a problem? 10:30 <abartlet> I see no reason why this cannot work. This is exactly what I wish to do with it 10:31 <tarjei> good. 10:31 <abartlet> you will not be able to prove that the KDC is not being spoofed (as you don't want to put a private key on the workstation NFS mount) 10:31 <abartlet> but the other servers will certainly tell you... 10:32 <abartlet> (for pam_krb5 I mean. It can ask for a service key for the local machine, to detect a spoofed KDC) 10:32 <tarjei> ok, are you planning on doing thin clients in your environment? 10:32 <abartlet> yes 10:32 <abartlet> not sure of the timeframe, but I do want to do it 10:32 <tarjei> part of the problem might be that kdm (or xdm) runs on the server 10:32 <abartlet> that's why I wrote the krb5 changes :-) 10:33 <tarjei> two souls same thought 10:33 <abartlet> ok, this is LTSP? 10:33 <tarjei> yes 10:33 <abartlet> ok - that's trivial 10:34 <tarjei> yes ltsp is easy to work with. The plan is to solve the issues surounding local apps. 10:34 <tarjei> today the suggest you use ssh keys. 10:34 <abartlet> hmm... 10:34 <abartlet> SSH keys, or even gssapi'ed SSH would work 10:35 <abartlet> both would need a private key on the NFS mount 10:36 <tarjei> this is where I expect trouble 10:37 <tarjei> but if you authenticate the user on the nfs'd box, keeping the keytab in local ram, then maybe you could get around the issues 10:37 <abartlet> no 10:37 <abartlet> I think you just put the key on the box 10:37 <abartlet> you are already putting the password in-clear over the network 10:38 <abartlet> for the GDM login 10:38 <abartlet> and if you don't, you can't get 'out' of the server back to the workstaiton, to start the 'local' app 10:38 * abartlet ponders 10:38 <abartlet> ok, you could run a local GDM, which would secure the thing quite a bit 10:39 <tarjei> yes that's what I'm saying :-) 10:39 <abartlet> but you would still need the SSH/krb5 private keys, for the workstations 10:39 <tarjei> didn't you say that pam_krb5 got that? 10:39 <abartlet> local GDM, and the .Xsession being 'ssh -X server gnome-session' 10:39 <abartlet> you could do this with pam_krb5, and it makes it all rather secure 10:40 <abartlet> except that it doesn't actually help local apps much 10:40 <abartlet> but the rest is very nicely secure :-) 10:40 <tarjei> this would even imply having secured the link between the server and the client yes. 10:42 <tarjei> would you mind if the last part of this conversation (10.29 - > ) was posted to the ltsp list for further comment? 10:42 <tarjei> they might have some ideas. 10:43 <abartlet> that's fine, I've said nothing private here 10:44 <abartlet> I really like the idea of local pam_krb5 and gdm, with SSH tunnel to the LTSP server 10:44 <abartlet> now, and active attacker can still play a *lot* of fun, but it locks things down quite a bit... Tarjei ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
