Re: Diskless and Kerberos
Hi
On Wed, May 23, 2012 at 09:55:54AM +0200, Mike Gabriel wrote:
> Hi Giorgio,
>
> On Mi 23 Mai 2012 09:26:33 CEST Giorgio Pioda wrote:
>
> >last night I got a half a cent idea for Diskless stations Kerberization.
> >
> >What about exporting the chroot / file sistem containing a single
> >/etc/krb5.keytab
> >containing all the nfs/disklessclients entries...
> >
> >The single diskless unit should get its hostname via dhcp (assigned from MAC)
> >and then could pick the correct TGT key and preauthenticate.
> >
> >The only problem would be to play a little with the boot sequence, so that
> >Kerberos TGT challenge will happen with correct timing.
> >
> >The basic Idea is thus to protect exported homedirs and leave the rest as
> >cleartext filesystem.
> >
> >Probably I was too tired and this idea is just bull****. At the moment
> >I have no testing time / hardware.
>
> Basically and technically, your idea is brilliant...
>
> And: I see a great security hole in it... How do you protect the
> keytab file from being sniffed from alien machines?
>
Well, if an alien machine sniff it, the attacker is well blocked at level
of user auth. In principle machine auth is not so important as
user auth since we are protecting homedirs and not services.
In itself, it would be rather easy to use ssh-fuse
homedir mounts instead of kerberized NFS obtaining a good protections
of users data. But in that case the disadvantage would be to loose
the single sign on and a substantial reduction in data transmission speed.
Best Regards
Giorgio
--
Giorgio Pioda - Sysadmin SPSE-Tenero
Cell +41 79 629 20 63
Uff. +41 91 735 62 48
Reply to: