krb5 with AUTH_SYS
Zachary Kotlarek
president at cynicbytrade.com
Mon Dec 18 13:32:20 EST 2006
Fredrik Tolf wrote:
> On Sun, 2006-12-17 at 18:18 -0600, Zachary Kotlarek wrote:
> If I'm not mistaken, the NFSv3 mount daemon only accepts clients on
> ports < 1024, so if you restrict NFSv3 access to localhost, you are
> essentially restricting it to anyone who can bind to those ports on the
> local machine (root, that is). Make a little SUID root program that is
> started within the SSH session, does authorization based on getuid(),
> and then binds to a port <1024 and forwards the connection for the
> client to the NFS server.
I forgot about this. It's still a bit more clunky than kerberos, but it
should at least be reasonably secure.
Now that I think about it, I might also be able to use iptables "owner"
module to restrict access based on process owner. That's what I'm really
trying to accomplish anyway -- restricting access to processes with root
privileges on a particular machine.
> I know it's a bit ugly, but personally I can't think of a better way.
>
> OTOH, maybe it would be possible to simply turn of root squelch on NFSv4
> (I don't know whether that's possible), while still using Kerberos
> security. That way, only clients with a Kerberos service key for NFS
> could connect, right?
That might work if you're root, but my mail delivery doesn't work that
way. On my system the delivery agent (procmail, qmail-local, etc.)
doesn't run as root, it runs as the user receiving mail.
Thanks for your help,
Zach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3035 bytes
Desc: S/MIME Cryptographic Signature
Url : http://linux-nfs.org/pipermail/nfsv4/attachments/20061218/09f2842e/attachment-0005.bin
More information about the NFSv4
mailing list