krb5 with AUTH_SYS

[Jan Oravec]

If you authenticate NFS clients by IP address, you should consider doing
security on the same level - IPsec.


Kind Regards,

Jan


On Sun, Dec 17, 2006 at 06:18:19PM -0600, Zachary Kotlarek wrote:
> I'm a little new to the NFSv4 world, so forgive me if this is a silly  
> question, but I haven't been able to find an answer on my own.
> 
> Is it possible to use the krb5 host verification features in NFSv4  
> without requiring per-user tickets? I'd like to authenticate the  
> client machine (and possibly encrypt the connection) but still allow  
> arbitrary UID changes client-side in the auth_sys style. But I'm also  
> open to suggestions if someone has a more elegant solution.
> 
> In general the per-user tickets are not a problem, but AFAICT they  
> prevent me from using homedir-based mail delivery. Incoming SMTP  
> connections are not authenticated (because the connection is not from  
> the user receiving mail), so I can't get tickets on the machine  
> attempting delivery, and therefore I cannot write directly to a  
> user's home directory.
> 
> We're currently using NFSv3 without any security, which is working  
> fine, but without control of the entire Ethernet segment I'd really  
> like to authenticate clients on some level. I know I could do  
> something like an SSH tunnel, but that make error reporting and  
> recovery more difficult and still leaves the NFS server open to  
> attack from anyone with shell access on an NFS client machine.
> 
> Is it possible to mount with host-level krb5 security and still use  
> auth_sys file permission enforcement? If so how -- I haven't found  
> any documentation to this affect. Is there some other way around this  
> problem?
> 
> Thanks for your help,
> 	Zach
> 



> _______________________________________________
> NFSv4 mailing list
> NFSv4 at linux-nfs.org
> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4