Re: Diskless and Kerberos

To: debian-edu@lists.debian.org
Subject: Re: Diskless and Kerberos
From: Petter Reinholdtsen <pere@hungry.com>
Date: Sun, 27 May 2012 00:15:05 +0200
Message-id: <2fl4nr237yu.fsf@diskless.uio.no>
In-reply-to: <20120523192903.GA13686@macchianera.pioderia.lan>
References: <20120523072633.GA25014@macchianera.pioderia.lan> <20120523095554.19477kgkjg6f3fgq@mail.das-netzwerkteam.de> <20120523192903.GA13686@macchianera.pioderia.lan>

[Giorgio Pioda]
> Well, if an alien machine sniff it, the attacker is well blocked at
> level of user auth. In principle machine auth is not so important as
> user auth since we are protecting homedirs and not services.

Yes, the home directory mount would be easier if only the user auth was
needed.  Note that there is no need to sniff the keytab file.  All an
attacker would need to do was to mount the LTSP root and read the file.

> In itself, it would be rather easy to use ssh-fuse homedir mounts
> instead of kerberized NFS obtaining a good protections of users
> data. But in that case the disadvantage would be to loose the single
> sign on and a substantial reduction in data transmission speed.

Except that ssh-fuse is not usable as a home directory.  rename is not
atomic, and umask is not properly handled.  Both can cause problems. :)
-- 
Happy hacking
Petter Reinholdtsen

Reply to:

Follow-Ups:
- Re: Diskless and Kerberos
  - From: Giorgio Pioda <gfwp@ticino.com>

References:
- Diskless and Kerberos
  - From: Giorgio Pioda <gfwp@ticino.com>
- Re: Diskless and Kerberos
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
- Re: Diskless and Kerberos
  - From: Giorgio Pioda <gfwp@ticino.com>

Prev by Date: Re: Speed - Lenny vs Squeeze
Next by Date: Content and translation status for the debian-edu-squeeze manual
Previous by thread: Re: Diskless and Kerberos
Next by thread: Re: Diskless and Kerberos
Index(es):
- Date
- Thread