From: Olga Kornievskaia <aglo@umich.edu>
To: Lukas Hejtmanek <xhejtman@gmail.com>
Cc: Andy Adamson <androsadamson@gmail.com>,
NFS list <linux-nfs@vger.kernel.org>
Subject: Re: Fwd: RFC rpc.gssd enhancement
Date: Thu, 8 Dec 2016 16:58:18 -0500 [thread overview]
Message-ID: <CAN-5tyEUoqtLVERwE2mFYLDhbPsX5X=OTCOr1Jo24u7zTkftpA@mail.gmail.com> (raw)
In-Reply-To: <CAN-5tyEt3kCD-CJAFAL8E=eHNG0tk1gt84L35HU7nQMHg2_zFw@mail.gmail.com>
On Thu, Dec 8, 2016 at 4:50 PM, Olga Kornievskaia <aglo@umich.edu> wrote:
> On Thu, Dec 8, 2016 at 4:22 PM, Lukas Hejtmanek <xhejtman@gmail.com> wrote:
>> On Thu, Dec 08, 2016 at 04:11:38PM -0500, Olga Kornievskaia wrote:
>>> Why is "kinit" accessing ~/.krb5/config? Typically kinit will only
>>> access /etc/krb5.conf.
>>>
>>> You are describing a catch-22 system. You want to create credentials
>>> but to create credentials you need to access a file that is protected
>>> by the credentials. This is a badly designed setup.
>>>
>>> kinit normally does not require access into something that is
>>> protected by credentials gotten by kinit.
>>>
>>> Your solution is to provide your user with "kinit" that does not
>>> access ~/.krb5/config. Please describe the need for that file and why
>>> it can't be satisfied using machine global /etc/krb5.conf.
>>
>> debian heimdal 1.6~rc2+dfsg-9 opens ~/.krb5/config and ~/.rnd files.
>> dunno why.
>>
>> MIT implementation does not seem to access $HOME.
>
> When you say "MIT implementation does not seem to access $HOME", do
> you mean you've build kinit from MIT source and it works? If so, then
> solution seems to be to bug debian folks to investigate what happened
> to their kinit?
> For instance RHEL/CentOS 7 had an issue where there patched OpenSSH
> looked at .k5login file where normal ssh didn't and caused problems:
> https://bugzilla.redhat.com/show_bug.cgi?id=1328243
>
> I think that might be related to your other complaint with using ssh
> keys to ssh. But at the same time I can see that what's going on here
> is again somewhat un-kosher. If you placed .authorized_key under
> something that only user with credentials can access, then you can't
> get to it without having though credentials. You have mentioned that
> "authorized_key" are readable but typically ~/.ssh had 700 permission
> so sshd can't get to reading "authorized_keys" file.
>
> To summarize: i suggest that you check that if an upstream kinit (from
> MIT) and upstream openssh have the problems you are describing.
Sorry you said debian heimdal not MIT. If MIT works, I suggest
bringing this issue up on the heimdal kerberos mailing list and
describe the problem there.
next prev parent reply other threads:[~2016-12-08 21:58 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-28 18:37 RFC rpc.gssd enhancement Lukas Hejtmanek
2016-11-29 18:37 ` Steve Dickson
2016-11-29 18:48 ` Lukas Hejtmanek
2016-11-29 19:28 ` Steve Dickson
2016-12-02 11:41 ` Lukas Hejtmanek
[not found] ` <CAHVgHyU6LQak3O4ybR0H3whWCKUdfz2bxLvEGi9uFM1EX+e=Eg@mail.gmail.com>
2016-12-02 14:00 ` Fwd: " Andy Adamson
[not found] ` <20161202134638.4ghyb5wnnwata4ec@ics.muni.cz>
2016-12-02 14:23 ` Andy Adamson
2016-12-02 14:28 ` Lukas Hejtmanek
2016-12-02 15:09 ` Andy Adamson
2016-12-08 12:36 ` Lukas Hejtmanek
2016-12-08 13:18 ` Andy Adamson
2016-12-08 13:23 ` Lukas Hejtmanek
2016-12-08 13:40 ` Andy Adamson
2016-12-08 21:11 ` Olga Kornievskaia
2016-12-08 21:22 ` Lukas Hejtmanek
2016-12-08 21:50 ` Olga Kornievskaia
2016-12-08 21:58 ` Olga Kornievskaia [this message]
2016-11-29 20:04 ` Olga Kornievskaia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAN-5tyEUoqtLVERwE2mFYLDhbPsX5X=OTCOr1Jo24u7zTkftpA@mail.gmail.com' \
--to=aglo@umich.edu \
--cc=androsadamson@gmail.com \
--cc=linux-nfs@vger.kernel.org \
--cc=xhejtman@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).