On Thu, 2004-05-27 at 18:58, Tarjei Huse wrote: > Hi, this is from a discussion I had with Samba developer Andrew > Bartlett. We were discussing usage of the Heimdal kerberos module > hdb-ldap when it turned out that both of us have the same idea on what > to use for - LTSP. > What do you guys think of the ideas presented here? Has anyone used LTSP > and kerberos together?
The basic purpose of this proposal is to protect LTSP from a passive attack on the plaintext passwords being sent over the network. I think it is possible to create a system using SSH, Kerberos and the existing Kerberos-compatible password databases provided by Samba. The basic idea is that we run GDM locally, rather than on the server. GDM then authenticates the user with KRB5, and obtains a ticket. This ticket then used for a secure SSH login to the server, which invokes 'gnome-session' (or whateve), forwarding the results back over SSH's X forwarding. This ensures the encryption of passwords, and the user's session. If the attacker does *not* modify the NFS traffic, it should be secure. (If they do, then all bets are off, as they have already installed pam_pwdsniff ;-) Now, there is still the problem of 'local applications'. As I understand it, these are applications that do not access the user's home directory, but are computationally expensive (such as a screensaver ;-). The reverse SSH leg needs to be secured, and we need to know we are talking to the right workstation, and the workstations needs to know it's only talking to the right user. This can be done again by the use of SSH. Instead of using a fixed private key on the workstation, common to all images, we can generate that key during the boot process, and give it to the server (for placement in the user's .ssh/known_hosts) as part of the login process. Similarly, the user's public key can be copied from their .ssh/ directory, and placed into the temporary authorized_keys file on the workstation. How does this sound to people? The only particularly fancy bit here is the fact that we use the 'single sign on' capability of kerberos, to avoid extra password prompts. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
