[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: home directory weirdness with Kerberos+NFSv4

On Mon, Oct 08, 2007 at 08:03:03AM -0400, Roberto C. Sánchez wrote:
> roberto@miami:~$ ssh manta
> Last login: Mon Oct  8 07:09:18 2007 from miami.connexer.com
> Could not chdir to home directory /network/home/roberto: Permission denied
> /usr/X11R6/bin/xauth:  timeout in locking authority file /network/home/roberto/.Xauthority
> -bash: /network/home/roberto/.bash_profile: Permission denied
> -bash-3.00$ logout
> -bash: /network/home/roberto/.bash_logout: Permission denied
> Connection to manta closed.

Apologies for the self reply, but I seem to have found a work around.
Hopefully someone coming across this in the archives will be able to use
this information.

The problem is that sshd's use of processes (instead of threads) means
that when pam_krb53.so is invoked to setup the tickets, it is done in a
process that the client (or user) never touches.  So, the tickets are
generated and promptly lost.  In the case of NFSv4 mounted home
directories this is a real problem, as the xauth and bash processes that
are run as the user now cannot access the user's home directory.  I also
think that my use of key-based logins (i.e., all password logins for ssh
on my network are disabled) also contributes to the problem.
Additionally, it appears that sshd in Sarge linked against pthreads, so
this may not have been a problem then.  But Etch's sshd is not threaded.

A posting by Russ Alberry on one of the OpenAFS sites mentioned using
the -K option to ssh on the client.  The configuration file equivalent
is to add "GSSAPIDelegateCredentials yes" to /etc/ssh/ssh_config (for
system-wide) or to ~/.ssh/config (for per-user) credential delegation.

So, now with that directive in my ~/.ssh/config I no longer receive the
permission denied, as the current ticket from my current session is
forwarded along properly.



Roberto C. Sánchez

Attachment: signature.asc
Description: Digital signature

Reply to: