This is an update on my Kerberos usability project. I think my utilities are feature-complete.
As I’ve described before, Rutgers computer science wants to use Kerberos to secure NFS and ssh. We have machines administered by faculty and students, and physically insecure lab machines. In such a world, perfect security is impossible, but we’d like to do our best to protect user data from compromise on systems they aren’t using. On systems they are using, I don’t know of a solution.
When I looked at Kerberos and Kerberized NFS, I saw three big problems:
* We have users with very long sessions. We don’t want their credentials to expire, as they’ll lose access to their files.
* We have users that have to run cron jobs. Some of these start things like web servers. (These are for students in labs. There are probably better ways for them to restart after a crash, but alternatives will have the same issues.) They need to have access to user files.
* pam_mkhomedir can’t work in a Kerberized environment, as root can’t make a directory and changes its ownership.
The solution is a set of utilities:
* renewd - renews all active credentials. We know what’s active because they are registered with keys in a session keyring. Keyring sessions have better properties than other Linux identifiers such as sid. They should stay around even if you start a server and it detaches. pam-reg-cc will register a credential cache (from KRB5CCNAME) with the session. Unlike kinit -R, I believe the renew code is race-free, for cc’s of type KEYRING and FILE.
* pam_kgetcred will create a credentials cache for the user (using a keytab on a secure server). They must register (with kgetcred -r) that they want cron to have access to their credentials on the current host. The advantage of this over using a keytab is that keytabs are valid on all hosts, and there are no restrictions to the credentials you can get from them. kgetcred restricts on a host by host basis, and by default issues non-forwardable credentials.
kgetcred -a will get credentials for an anonymous user. That’s because freeipa doesn’t yet support kinit -n. So we need anonymous credentials to armor requests for users to TFA. We have a script, skinit, with the same arguments as kinit. It gets an anonymous credential and then calls kinit with that for amor.
* pam_kmkhomedir is a Kerberized pam_mkhomedir. It talks to a service on the file server, which creates the directory. You can set it up so it doesn’t do anything if the file system isn’t mounted. (We’ve had issues where NFS auto mount fails and a pseudo-home directory gets created on the mount point.)