Package: debian-edu-config Severity: wishlist Version: 2.12.14On a Debian Edu 11 network, NFS home mounts are only allowed via NFSv4 + sec=krb5i. For this, the user and the host need to acquire valid Kerberos ticket.
While the user can acquire their ticket via login (pam_krb5.so), the host needs to obtain two tickets (a host and a service ticket) elsewhere. This is normally done via two key entries in /etc/krb5.keytab.
Those host / service key entries are tied to the hostname of the machine, which is problematic on diskless machines (because the same system (chroot / squashfs image) can be used on several hosts on the network, with different hostnames.
The idea here is to deploy a specific (optional) hack on the Debian Edu network that will allow us to boot diskless workstations with support for NFSv4 and krb5i.
The idea outline for this is this:
* add a "diskless-workstation-hosts" NIS netgroup to LDAP
* let the admins put all their DLW hosts into that NIS netgroup
* on host modification, gosa-modify-host will update a file e.g.
/var/lib/debian/krb5.keytab_dlw; this file contains all
host/<client> and nfs/<client> principal keys for all known
diskless workstations
* on DLW boot, root@DLW will be able to SSH into tjener (as
unprivileged user with access to /var/lib/debian/krb5.keytab_dlw
and copy that file onto the DLW as /etc/krb5.keytab at runtime).
* on the DLW some more permission adjustments are required root:root:0600
for /etc/krb5.keytab)
* with this, NFS krb5i should work on DLWs just fine and we don't
expose any information to non-root users on the network
light+love
Mike
This approach has been previously discussed with Wolfgang Schweer on IRC:
22:13 < sunweaver> so, I have an idea for diskless workstations
(DLWs). Actually, two ideas.
22:14 < sunweaver> Couldn't we provide an
/var/lib/debian-edu/krb5.keytab_dlw on TJENER that only contains
diskless workstation keys?
22:15 < sunweaver> and we add a non-privileged user that can SSH from
a booting DLW into TJENER and grab that file?
22:16 < sunweaver> That means we need to run adduser and ssh-keygen
during chroot creation and deploy the SSH pubkey to
<non-privileged-user>@tjener:~/.ssh/authorized_keys.
22:16 < schweer> the keytab file needs to be root.root permissions22:16 < sunweaver> on the DLW (while booting) the grabbing of the keytab file would run as root and file permissions can be set appropriately after grabbing the file from tjener.
22:17 < schweer> ok, makes sense22:17 < sunweaver> only, I wouldn't want to SSH into tjener as root. That would be probably worth a CVE then. 22:18 < sunweaver> question: do we have a way to identify DLW machines in LDAP? 22:18 < sunweaver> if not, I was thinking of adding a diskless-workstation-hosts NIS netgroup
22:18 < schweer> not out of the box 22:19 < sunweaver> so, my idea is: 22:19 < sunweaver> add diskless-workstation-hosts NIS netgroup in LDAP22:19 < sunweaver> let the admin shove all the DLW hosts into that NIS netgroup 22:19 < sunweaver> on host modification, gosa-modify-host will update the /var/lib/debian/krb5.keytab_dlw 22:20 < sunweaver> and on DLW boot, root@DLW will SSH into tjener (as unprivileged user with access to /var/lib/debian/krb5.keytab_dlw and copy that file onto the DLW at runtime). 22:21 < sunweaver> permission adjustments will be done to root:root and 0600 for /etc/krb5.keytab (and with this, NFS krb5i should work on DLWs).
22:21 < sunweaver> what do you think? 22:21 < schweer> seems to be worth trying 22:21 < sunweaver> ok, will do...22:22 < sunweaver> I'll try that in the field first and will then provide d-e changes. 22:22 < schweer> but then all DLWs must be added with GOsa, or am i completely wrong?
22:22 < sunweaver> yeah, sure.22:23 < sunweaver> they need a krb5 principal (host + nfs) and that happens via creating the host in GOsa.
22:23 < sunweaver> (well, via gosa-modify-host hook, but yes...) 22:23 < sunweaver> ok? 22:23 < schweer> yes, please try it -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgprOpUuxTtB5.pgp
Description: Digitale PGP-Signatur