[FreeNX-kNX] RSA ssh authentication not compatible with all sites
Charles Duffy
cduffy at spamcop.net
Sun Dec 5 05:10:29 UTC 2004
Howdy.
My site uses AFS for our shared filesystem. AFS authenticates users with
"tokens", which can be granted using Kerberos tickets for authentication.
Barring practices which are frowned upon for good (security-related)
reasons, a Kerberos ticket can only be granted by a user authenticating
via a password -- NOT via passwordless mechanisms like RSA keys. (This
means that even if a daemon running as root is compromised on a client
machine, an attacker still cannot access users' files without knowing the
password of that user or of an administrator; compare to NFS, where an
attacker compromising a machine can successfully pretend to be any user
they like). Some versions of NFS support Kerberos authentication; for our
purposes, this is a similar situation.
The end result is that folks logging in via any mechanism other than using
a username and password are unable to read from and write to their home
directories unless they jump run a few commands (and enter their password)
to grab a ticket and token (the former of which can potentially be stolen
by any other used logged in via the same account, making shared accounts
such as that used by the server potentially problematic). This isn't an
exceedingly common setup -- but neither is it exceedingly rare; such site
configurations are found within some major universities and (as I
understand it) internal to some parts of IBM.
Is FreeNX-server capable of working in this kind of environment? If not,
are there any plans to make changes which would make it capable of
operating in such an environment?
More information about the FreeNX-kNX
mailing list