On Mon, 2007-06-04 at 05:04 -0700, Peter Eriksson wrote:
> I'm setting up a more integrated Kerberos environment around here (Kerberos,
> Secure NFS, passwordless logins using SSH, multiple Kerberos domains, etc)
> and I've stumbled upon a couple of annoying things...
>
> 1. Why-o-why can't the tools handle multiple concurrent Kerberos domains
> ("kinit user at OTHERDOMAIN" to get a ticket for the other domain will remove
> my ticket
> for my local domain - which I'm needing to get SecureNFS to work... Not good
> :-)?
>
The problem here is that there is only one cred-cache being used. You
can maintain multiple cred-caches. See kinit(1) krb5envvar(5)
Is there any reason you are setting up different Kerberos realms here?
Why not just use one realm or at least set up cross-realm trust so that
you don't need to do multiple kinits.
> 2. If I use "ssh user at host.otherdomain" that also uses Kerberos then I
> will get a
> ticket just fine after I've entered my password. Unfortunately that ticket
> isn't forwardable
> so Secure NFS will fail when I ssh to some other host at that site... A
> manual "kinit -f"
> after I've logged in works, but it's really annoying for users... (CDE seems
> to generate a forwardable ticket by default). Can't seem to find anything
> configurable in Suns sshd (or
> an option to ssh) to change this behaviour.
>
You can change this in the krb5 config file (/etc/krb5/krb5.conf). See
the "forwardable" flag as described in krb5.conf(4).
You may also want to take a look at GSSAPIStoreDelegatedCredentials
in /etc/ssh/sshd_config. See sshd_config(4).
> 3. Any plans to get rid of the /tmp/krb5cc_ files and put them into the
> kernel (or a daemon)?
>
It is possible to use a memory backed cred-cache in certain situations.
See the env var "KRB5CCNAME" in krb5envvar(5).
There is an open RFE for per session cred caches. See:
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6561026
>
> How do other people implement Kerberos + SecureNFS + transparent remote
> logins between
> computers so that we don't drive people insane with endless password prompts?
> :-)
>
Use a single realm or setup cross realm trust..
-Mark
>
> This message posted from opensolaris.org
> _______________________________________________
> security-discuss mailing list
> security-discuss at opensolaris.org
