Secure Unix LAN (NIS and Kerberized NFSv4)

Problems and solutions

by ross at 17:21:16 on March 20, 2014

Ssh into a client won't create a ticket

If you try to ssh into a client from master server, sshd will accept your Kerberos passwd and log you in. But no ticket will be created and your home will not be accessible.

The only solution known to me is to login, run kinit and relogin:

server> ssh client
Could not chdir to home directory /home/ross: Permission denied
client> kinit
ross@LAN's Password:
client> logout
server> ssh client

This time home will be accessible.

Cron scripts require a ticket

If, for example, you have a client host which is up 24x7. And there is a user, let's say xbmc, who runs scripts via cron. If these scripts work with krb5 filesystems then the user must have a valid ticket all the time.

This could be solved like this (on that host):

# kadmin
kadmin> ext --keytab=/etc/krb5.keytab.xbmc xbmc
root/admin@LAN's Password: 
kadmin> quit
# chown xbmc:xbmc /etc/krb5.keytab.xbmc
# chmod 600 /etc/krb5.keytab.xbmc

Using the file /etc/krb5.keytab.xbmc one could authenticate itself as xbmc without a password. Of course, this opens a security hole, but choice is yours.

Now add to /etc/rc.local:

/usr/bin/su xbmc -c '/usr/bin/kinit -k -t /etc/krb5.keytab.xbmc xbmc'

And to the xbmc's crontab:

#minute hour    mday    month   wday    command
0       */5     *       *       *       /usr/bin/kinit -k -t /etc/krb5.keytab.xbmc xbmc

You might also want to change console in /etc/ttys from secure to insecure so that booting single user mode will still require root's password.