NFSv4 details and documentations

[Slawa Olhovchenkov]

On Wed, Dec 02, 2015 at 02:04:53AM -0500, Benjamin Kaduk wrote:

> On Tue, 1 Dec 2015, Rick Macklem wrote:
> 
> > Are you able to explain how sshd is configured to do a kinit for the
> > user as they ssh into a machine?
> 
> I had been planning to say something when I caught up on the thread, yes.
> 
> Slawa and I have a pre-existing disagreement about the nature of "single
> sign-on" and how kerberos should "most properly" be used, but in the case
> where one is planning to type one's kerberos password into sshd and
> authenticate to the system, pam_krb5 should suffice.  We use AFS at MIT,
> not NFS, but still have network homedirs that require kerberos tickets for
> authentication, so we combine pam_krb5 and pam_afs_session to do the
> necessary authentication.  Unfortunately, I never got the time to properly
> port that setup from Linux to FreeBSD, so I don't have direct experience
> with FreeBSD pam configuration for such a setup.

FreeBSD ssh'd use thread emulations by fork, as result Kerberos token
got at pam_krb5:auth can't be accessed at pam_krb5:session (for
writing in /tmp/krb5cc_UID. Recompile with
-DUNSUPPORTED_POSIX_THREADS_HACK resove this issuse (and I can login
with kerberos password to host with kerberoized NFSv4 and w/o
additional kinit or password sshd to another host.

DES against UNSUPPORTED_POSIX_THREADS_HACK, but I am unable to follow
his (PAM can change locale setting? ok, this is legally for may PAM's
understund -- PAM designed for this. Vulnerability in PAM? In any
case, PAM run as root and not chrooted)

> There is still the limitation that things like .k5login must be
> world-readable in order for the login to work, which as I understand it is
> acceptable for Slawa.
> 
> I'm not sure what the ordering is between pam and whatever part of the
> login stack would be actually mounting the home directories, though.
> Perhaps Slawa has some insight.

I am use autofs (automount) for this.