546
Comment:
|
← Revision 4 as of 2012-02-23 10:21:33 ⇥
1148
|
Deletions are marked like this. | Additions are marked like this. |
Line 9: | Line 9: |
Issues to be considered include: * Synchronising Samba, Unix and Kerberos passwords - this is relatively painless thanks to `smbk5pwd` * Ticket granting on logon - what happens if people use SSH keys to log in? * NFS-K5 * Do we mount all of /home by giving each machine a full-access Kerberos key? This is probably worse than the current situation. * Alternatively, do we mount each user's home directory (e.g. with the automounter) once they've logged in? If so, how do we make SSH keys work (and do we care)? * Are we interested in NFS-K5 or NFS-K5p, or do we want to deploy IPsec? |
[ASH] is currently working on a Kerberos implementation to to overlay the OpenLDAP authentication system the club currently uses.
This would have several advantages, including:
- Single-Sign-On between UCC machines.
- Kerberised home directory mounting allowing the merging of /away and /home without security issues.
- Enabling more UCC services to kerberise, thus extending UCC's Single-Sign-On network.
The implementation currently under consideration is found at http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-provider.php
Issues to be considered include:
Synchronising Samba, Unix and Kerberos passwords - this is relatively painless thanks to smbk5pwd
- Ticket granting on logon - what happens if people use SSH keys to log in?
- NFS-K5
- Do we mount all of /home by giving each machine a full-access Kerberos key? This is probably worse than the current situation.
- Alternatively, do we mount each user's home directory (e.g. with the automounter) once they've logged in? If so, how do we make SSH keys work (and do we care)?
- Are we interested in NFS-K5 or NFS-K5p, or do we want to deploy IPsec?