[OpenAFS] home on afs woes

Lester Barrows barrows@email.arc.nasa.gov
Wed, 4 Jan 2006 14:59:10 -0800

On Wednesday 04 January 2006 1:48 pm, Jeffrey Altman wrote:
> This should be a reasonable approach.   For all machines that
> are being logged into using gssapi krb5, those machines must
> have been issued a Kerberos principal and they must have a
> keytab.  Assign the principal an AFS ID and then use a program
> such as kstart to obtain and maintain a AFS token in the PAG
> within which the sshd resides.  Add the AFS ID to a an AFS
> group and provide that group rl privileges on the top level
> directory of the home volume.   This will provide the sshd
> the ability to read the directory without requiring that the
> directory be world readable.
> Now if you want to lock things down a bit more, move all of
> the dot files to a new directory on which 'rl' is granted
> for the group and instead give the group 'l' privilege on
> the top-level directory and place symlinks from the top-level
> directory to the real dot files.   This will prevent sshd
> from being able to read any of the files in the top-level
> directory but it will be able to follow the symlinks to
> read the dot files that it requires.
> Jeffrey Altman

This could work to a point, although it strikes me as being a hackish 
workaround to a capability (well, granularity) that should be in the 
filesystem to begin with. Authenticating the daemon makes sense. Having to 
symlink all the authentication files into a separate directory to limit the 
daemon's privileges is messy and prone to problems induced by user error.

It also gives the SSH daemon list privileges to each new directory a user 
creates in the top level of their home directory, which they would then have 
to change. If there's a compromise due to this additional privilege, 
involving e.g. an SSH private key being created in or copied to the wrong 
place, that could be bad.

Best regards,
Lester Barrows