What are the recommend settings for SSO regarding .krb5login file in an environment where home directories are NFS mounted?
Question: What are the recommend settings for SSO regarding .k5login file in an environment where home directories are NFS mounted?
Answer: This depends on how the user manages the SSO, the version of sshd that is being used and which DirectControl version is running. If the .k5login file is present in the users home directory it will be used to verify what accounts can SSO into a system. If sshd cannot open the .k5login file to read it, it is considered a failure and access will fail. This can cause a problem when the Home directories are on a NFS mount where the root account has been denied access using the "rootsquash" parameter.
Options:
If the system is running Centrify openssh sshd and it is not expected to allow provisioned AD users to allow other users to login using Single Sign On to the system using their credentials then the .k5login creation can simply be disabled and the .k5login files removed all from the home directories. Centrify Openssh sshd can then compute if the kerberos credential matches the target user login to decide if will be alllowed. The centrifydc.conf paramter to disable .k5login creation is:
pam.create.k5login: false
The alternative is to tell adclient to ignore the .k5login file or specify an alternate location to hold the .k5login for the users.
krb5.sso.ignore.k5login: true
For security reasons the specified directory should be owned by root and writeable to root only. krb5.conf.k5login.directory:
Note: Once the file .k5login is presented, it is honored.