Kerberos on diskless clients

To: debian-edu@lists.debian.org
Subject: Kerberos on diskless clients
From: "John S. Skogtvedt" <jss@bzz.no>
Date: Tue, 15 Jun 2010 09:07:35 +0200
Message-id: <[🔎] 4C1726B7.80001@bzz.no>

Hello,

sorry for my late entry to the discussion on kerberos. It's really good
that you're working on it.

I wonder, has anybody thought about how to implement Kerberos+NFSv4 on
diskless clients?
My understanding is that every workstation needs to have a
"$hostname/nfs" principal in Kerberos, with a secret key. Every machine
which presents a correct principal and key can read the exported
filesystem, but to write to it you need to authenticate to kerberos
(with a user principal). If any of this is incorrect, please correct me.

As the diskless filesystem is (by necessity) available to anyone,
putting Kerberos keys for all clients there would be no more secure than
NFSv3. One idea is to put the key on a HD or CF card, another is to put
the encrypted keys in the chroot and prompt the admin for the password
at boot. Of course, both of these suffer from the problem that the
server can't be trusted (e.g. a second server on the network serving a
filesystem which gathers keys and passwords).

John.

Reply to:

Follow-Ups:
- Re: Kerberos on diskless clients
  - From: Jonas Smedegaard <jonas@jones.dk>

Prev by Date: Gearing up the Squeeze development test turnaround time
Next by Date: Re: Gearing up the Squeeze development test turnaround time
Previous by thread: Re: Gearing up the Squeeze development test turnaround time
Next by thread: Re: Kerberos on diskless clients
Index(es):
- Date
- Thread