[ASH] is currently working on a Kerberos implementation to to overlay the OpenLDAP authentication system the club currently uses.
This would have several advantages, including:
- Single-Sign-On between UCC machines.
- Kerberised home directory mounting allowing the merging of /away and /home without security issues.
- Enabling more UCC services to kerberise, thus extending UCC's Single-Sign-On network.
The implementation currently under consideration is found at http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-provider.php
Issues to be considered include:
Synchronising Samba, Unix and Kerberos passwords - this is relatively painless thanks to smbk5pwd
- Ticket granting on logon - what happens if people use SSH keys to log in?
- Do we mount all of /home by giving each machine a full-access Kerberos key? This is probably worse than the current situation.
- Alternatively, do we mount each user's home directory (e.g. with the automounter) once they've logged in? If so, how do we make SSH keys work (and do we care)?
- Are we interested in NFS-K5 or NFS-K5p, or do we want to deploy IPsec?