Hi Giorgio, On Mi 23 Mai 2012 09:26:33 CEST Giorgio Pioda wrote:
last night I got a half a cent idea for Diskless stations Kerberization.What about exporting the chroot / file sistem containing a single /etc/krb5.keytabcontaining all the nfs/disklessclients entries... The single diskless unit should get its hostname via dhcp (assigned from MAC) and then could pick the correct TGT key and preauthenticate. The only problem would be to play a little with the boot sequence, so that Kerberos TGT challenge will happen with correct timing. The basic Idea is thus to protect exported homedirs and leave the rest as cleartext filesystem. Probably I was too tired and this idea is just bull****. At the moment I have no testing time / hardware.
Basically and technically, your idea is brilliant...And: I see a great security hole in it... How do you protect the keytab file from being sniffed from alien machines?
With an exported/unprotected keytab it becomes very easy to take over a machine's identity in a Kerberized network.
Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Attachment:
pgpqYIwU0sXMP.pgp
Description: Digitale PGP-Unterschrift