Differences between revisions 1 and 4 (spanning 3 versions)
Revision 1 as of 2012-02-21 09:49:57
Size: 540
Editor: AshTyndall
Comment:
Revision 4 as of 2012-02-23 10:21:33
Size: 1148
Editor: proxyserver
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
[ASH] is currently working on a Kerberos implementation to replace the OpenLDAP authentication system the club currently uses. [ASH] is currently working on a Kerberos implementation to to overlay the OpenLDAP authentication system the club currently uses.
Line 4: Line 4:
* Single-Sign-On between UCC machines.
* Kerberised home directory mounting allowing the merging of /away and /home without security issues.
* Enabling more UCC services to kerberise, thus extending UCC's Single-Sign-On network.		  * Single-Sign-On between UCC machines.
 * Kerberised home directory mounting allowing the merging of /away and /home without security issues.
 * Enabling more UCC services to kerberise, thus extending UCC's Single-Sign-On network.
Line 9: Line 9:

Issues to be considered include:
 * Synchronising Samba, Unix and Kerberos passwords - this is relatively painless thanks to `smbk5pwd`
 * Ticket granting on logon - what happens if people use SSH keys to log in?
 * NFS-K5
  * Do we mount all of /home by giving each machine a full-access Kerberos key? This is probably worse than the current situation.
  * Alternatively, do we mount each user's home directory (e.g. with the automounter) once they've logged in? If so, how do we make SSH keys work (and do we care)?
  * Are we interested in NFS-K5 or NFS-K5p, or do we want to deploy IPsec?

[ASH] is currently working on a Kerberos implementation to to overlay the OpenLDAP authentication system the club currently uses.

This would have several advantages, including:

  • Single-Sign-On between UCC machines.
  • Kerberised home directory mounting allowing the merging of /away and /home without security issues.
  • Enabling more UCC services to kerberise, thus extending UCC's Single-Sign-On network.

The implementation currently under consideration is found at http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-provider.php

Issues to be considered include:

  • Synchronising Samba, Unix and Kerberos passwords - this is relatively painless thanks to smbk5pwd

  • Ticket granting on logon - what happens if people use SSH keys to log in?
  • NFS-K5
    • Do we mount all of /home by giving each machine a full-access Kerberos key? This is probably worse than the current situation.
    • Alternatively, do we mount each user's home directory (e.g. with the automounter) once they've logged in? If so, how do we make SSH keys work (and do we care)?
    • Are we interested in NFS-K5 or NFS-K5p, or do we want to deploy IPsec?

uccwiki: KerberosKerberosKerberos (last edited 2012-02-23 10:21:33 by proxyserver)

MoinMoin Powered | Python Powered
Written to be specifications compliant.

UCC

Wiki content is publicly editable, and as such does not necessarily reflect
the views of the University Computer Club, the Guild or the University of
Western Australia.

Contact the webmasters.