From nobody Thu Feb 29 03:19:27 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Tlc031x36z5Bkky for ; Thu, 29 Feb 2024 03:19:31 +0000 (UTC) (envelope-from lexi@le-fay.org) Received: from thyme.eden.le-Fay.ORG (THYME.EDEN.LE-FAY.ORG [81.187.47.194]) by mx1.freebsd.org (Postfix) with ESMTP id 4Tlc021jVLz4JR5 for ; Thu, 29 Feb 2024 03:19:30 +0000 (UTC) (envelope-from lexi@le-fay.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=le-fay.org header.s=thyme header.b=ccKhJ3Hp; dmarc=none; spf=pass (mx1.freebsd.org: domain of lexi@le-fay.org designates 81.187.47.194 as permitted sender) smtp.mailfrom=lexi@le-fay.org Received: from iris.eden.le-Fay.ORG (IRIS.EDEN.LE-FAY.ORG [IPv6:2001:8b0:aab5:106:3::6]) by thyme.eden.le-Fay.ORG (Postfix) with ESMTP id C2DADA4; Thu, 29 Feb 2024 03:19:25 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=le-fay.org; s=thyme; t=1709176766; bh=fzL9UkcoeBy+xDCu3Vhq+18JY7LTcxIbz8oqbb/gtqw=; h=Date:From:To:Cc:Subject; b=ccKhJ3HpDteUpZZOXQfJFzZZpMgDQeiCjyLSnoEmLg0AsQbVG2kBv8JLsGA0CRgeR 5Wz8fsVdL9haf+CgIyc4nSkOa6bukUeBD5GD8tt5LCQzK+rvYWaBhtEOJqAbpcuv9x H60AZc8AvTFd+cG4pAE5+yjbSwPHbSlW3lSkfpc4= Received: from ilythia.eden.le-fay.org (ILYTHIA.EDEN.LE-FAY.ORG [IPv6:2001:8b0:aab5:106:3::10]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by iris.eden.le-Fay.ORG (Postfix) with ESMTPSA id 0D1D32C041F; Thu, 29 Feb 2024 03:19:28 +0000 (GMT) Date: Thu, 29 Feb 2024 03:19:27 +0000 From: Lexi Winter To: freebsd-questions@freebsd.org Cc: Rick Macklem Subject: NFS, Kerberos and SSH Message-ID: Mail-Followup-To: freebsd-questions@freebsd.org, Rick Macklem List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="0Az6pJ6e8r5Qzg/x" Content-Disposition: inline X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.49 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.989]; R_DKIM_ALLOW(-0.20)[le-fay.org:s=thyme]; R_SPF_ALLOW(-0.20)[+ip4:81.187.47.194]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; RCVD_NO_TLS_LAST(0.10)[]; DKIM_TRACE(0.00)[le-fay.org:+]; FREEMAIL_CC(0.00)[gmail.com]; DMARC_NA(0.00)[le-fay.org]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_HAS_DN(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ASN(0.00)[asn:20712, ipnet:81.187.0.0/16, country:GB]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; MISSING_XM_UA(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; TAGGED_RCPT(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; TO_DN_SOME(0.00)[]; DWL_DNSWL_NONE(0.00)[le-fay.org:dkim] X-Rspamd-Queue-Id: 4Tlc021jVLz4JR5 --0Az6pJ6e8r5Qzg/x Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable (Rick: i hope you don't mind the Cc:, but i thought you might be able to offer some input here since you've helped me with Kerberized NFS in the past.) hi list, i recently ran into a problem with NFS, Kerberos and SSH. the system configuration was like this: - Kerberos configured with a host ticket in /etc/krb5.keytab - sshd configured to use Kerberos with GSSAPI authentication enabled - Kerberized NFS configured with automountd(8) to manage /home /etc/auto_master: /home auto_home /etc/auto_home: * -nfsv4,sec=3Dkrb5p,gssname=3Dhost hemlock.eden.le-fay.org:/home/& the problem is this: when a user tries to log in via ssh, SSH authenticates the user's Kerberos ticket, then it tries to open a file called $HOME/.k5login. however, because it does this without the user's Kerberos ticket, the open fails with EIO, and sshd rejects the login ("authentication failed"): =66rom sshd -ddd: NFSv4 error WrongSec: You probably need a Kerberos TGT fstatat(AT_FDCWD,"/home/lexi/.k5login.d",0x2792356252b0,AT_SYMLINK_NOFOLLOW= ) ERR#5 'Input/output error' Failed gssapi-with-mic for lexi from 2001:8b0:aab5:106:3::10 port 63175 ssh2 using a forwardable ticket (ssh -K) does *not* fix the problem, because sshd is not running with the user's Kerberos credentials at this point. this behaviour is discussed in this upstream Heimdal ticket: https://github.com/heimdal/heimdal/issues/368 the upshot is that it's impossible to allow users to log in via Kerberized SSH while also using Kerberized NFS to mount their home directories, even though this seems like a configuration that would be both desirable and common in any environment using Kerberos. so my first question is: is there a solution / workaround for this? and my second question is: if the answer is no, what if i provided a patch for the NFS client to add a new option, like 'fallbackgssname', which would work like 'allgssname' except that it would only use the host's Kerberos ticket if there isn't already an existing user-specific Kerberos ticket? i haven't looked at how difficult this would be to implement, but it seems like an obvious solution that would fix this problem. regards, lexi. --0Az6pJ6e8r5Qzg/x Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAABCAAdFiEEuwt6MaPcv/+Mo+ftDHqbqZ41x5kFAmXf970ACgkQDHqbqZ41 x5l5xwwAn8Qokzv8vcJY64g+xjl6VDskWDoH87qvukWN4vxW/A1Hkx64pNdGgqfu 2zG7P92ZN+o+xAqEVes06H/lRyKaIOYuT+qZAysSENYxIdYpj3DSeTWyKs+oqDRI 6CSnGqhI8uOUEIgFtXgz8f3MBnHoXV++XjC2mvv7WCY1LwclDgfFyL91ZF0SthUX yzQ1SDSTR2RHV9bOqYHkavc1IBxOgMxs3xee3B+YXxJ0eA9PebpUBhHcosL6Qv/u xGBSUiqTGC3Ndkyse4DZxMP2n9NdwGZvoMgdGfX6H3qDpd6OvD7zvysr8+Rb6+p7 cPH2o3aShvRumPyqvoHOxjVT9hohq8BLwzjPEiqsi3bDrlTmESF5o5WzPYvbALjU 0M6uCvmZpTePNSrNdpYHW3IVLTuNzS4hWYKJWNVbWHB9+x9RBOxNOHUGRAdIGfHY qQUBE1xhh+NDYYHL8bcP8bB+BTDv3zDY/zDQOqFlqJohkI98ULQBLACv9ygbF8Jx iD7NXEQh =Xpj0 -----END PGP SIGNATURE----- --0Az6pJ6e8r5Qzg/x--