Tarjei, Great stuff. I've been seriously looking at Kerberos as a way to authenticate an LTSP session. I'm still reading the O'Reilly kerberos book, trying to get a clear picture in my head for how it all works.
It probably a good idea for us to get together on IRC and discuss some of the details. Unfortunately, I'm travelling alot now. I'll be back on June 8th, maybe after that, we can sit down and talk about this. Thanks, Jim McQuillan [EMAIL PROTECTED] On Thu, 27 May 2004, Tarjei Huse wrote: > Hi, this is from a discussion I had with Samba developer Andrew > Bartlett. We were discussing usage of the Heimdal kerberos module > hdb-ldap when it turned out that both of us have the same idea on what > to use for - LTSP. > What do you guys think of the ideas presented here? Has anyone used LTSP > and kerberos together? > > 10:29 <tarjei> one of my motivations for doing this is to use it with > linux thin clients > 10:30 <tarjei> this means that the box will boot from a nfs root. Do you > think this will pose a problem? > 10:30 <abartlet> I see no reason why this cannot work. This is exactly > what I wish to do with it > 10:31 <tarjei> good. > 10:31 <abartlet> you will not be able to prove that the KDC is not being > spoofed (as you don't want to put a private key on the workstation NFS > mount) > 10:31 <abartlet> but the other servers will certainly tell you... > 10:32 <abartlet> (for pam_krb5 I mean. It can ask for a service key for > the local machine, to detect a spoofed KDC) > 10:32 <tarjei> ok, are you planning on doing thin clients in your > environment? > 10:32 <abartlet> yes > 10:32 <abartlet> not sure of the timeframe, but I do want to do it > 10:32 <tarjei> part of the problem might be that kdm (or xdm) runs on > the server > 10:32 <abartlet> that's why I wrote the krb5 changes :-) > 10:33 <tarjei> two souls same thought > 10:33 <abartlet> ok, this is LTSP? > 10:33 <tarjei> yes > 10:33 <abartlet> ok - that's trivial > 10:34 <tarjei> yes ltsp is easy to work with. The plan is to solve the > issues surounding local apps. > 10:34 <tarjei> today the suggest you use ssh keys. > 10:34 <abartlet> hmm... > 10:34 <abartlet> SSH keys, or even gssapi'ed SSH would work > 10:35 <abartlet> both would need a private key on the NFS mount > 10:36 <tarjei> this is where I expect trouble > 10:37 <tarjei> but if you authenticate the user on the nfs'd box, > keeping the keytab in local ram, then maybe you could get around the > issues > 10:37 <abartlet> no > 10:37 <abartlet> I think you just put the key on the box > 10:37 <abartlet> you are already putting the password in-clear over the > network > 10:38 <abartlet> for the GDM login > 10:38 <abartlet> and if you don't, you can't get 'out' of the server > back to the workstaiton, to start the 'local' app > 10:38 * abartlet ponders > 10:38 <abartlet> ok, you could run a local GDM, which would secure the > thing quite a bit > 10:39 <tarjei> yes that's what I'm saying :-) > 10:39 <abartlet> but you would still need the SSH/krb5 private keys, for > the workstations > 10:39 <tarjei> didn't you say that pam_krb5 got that? > 10:39 <abartlet> local GDM, and the .Xsession being 'ssh -X server > gnome-session' > 10:39 <abartlet> you could do this with pam_krb5, and it makes it all > rather secure > 10:40 <abartlet> except that it doesn't actually help local apps much > 10:40 <abartlet> but the rest is very nicely secure :-) > 10:40 <tarjei> this would even imply having secured the link between the > server and the client yes. > 10:42 <tarjei> would you mind if the last part of this conversation > (10.29 - > ) was posted to the ltsp list for further comment? > 10:42 <tarjei> they might have some ideas. > 10:43 <abartlet> that's fine, I've said nothing private here > 10:44 <abartlet> I really like the idea of local pam_krb5 and gdm, with > SSH tunnel to the LTSP server > 10:44 <abartlet> now, and active attacker can still play a *lot* of fun, > but it locks things down quite a bit... > > > Tarjei > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: Oracle 10g > Get certified on the hottest thing ever to hit the market... Oracle 10g. > Take an Oracle 10g class now, and we'll give you the exam FREE. > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click > _____________________________________________________________________ > Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: > https://lists.sourceforge.net/lists/listinfo/ltsp-discuss > For additional LTSP help, try #ltsp channel on irc.freenode.net > ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
