[ASH] is currently working on a Kerberos implementation to to overlay the OpenLDAP authentication system the club currently uses.

This would have several advantages, including:

  • Single-Sign-On between UCC machines.
  • Kerberised home directory mounting allowing the merging of /away and /home without security issues.
  • Enabling more UCC services to kerberise, thus extending UCC's Single-Sign-On network.

The implementation currently under consideration is found at http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-provider.php

Issues to be considered include:

  • Synchronising Samba, Unix and Kerberos passwords - this is relatively painless thanks to smbk5pwd

  • Ticket granting on logon - what happens if people use SSH keys to log in?
  • NFS-K5
    • Do we mount all of /home by giving each machine a full-access Kerberos key? This is probably worse than the current situation.
    • Alternatively, do we mount each user's home directory (e.g. with the automounter) once they've logged in? If so, how do we make SSH keys work (and do we care)?
    • Are we interested in NFS-K5 or NFS-K5p, or do we want to deploy IPsec?