krb5 with AUTH_SYS
Zachary Kotlarek
president at cynicbytrade.com
Sun Dec 17 19:25:02 EST 2006
I'm a little new to the NFSv4 world, so forgive me if this is a silly
question, but I haven't been able to find an answer on my own.
Is it possible to use the krb5 host verification features in NFSv4
without requiring per-user tickets? I'd like to authenticate the
client machine (and possibly encrypt the connection) but still allow
arbitrary UID changes client-side in the auth_sys style. But I'm also
open to suggestions if someone has a more elegant solution.
In general the per-user tickets are not a problem, but AFAICT they
prevent me from using homedir-based mail delivery. Incoming SMTP
connections are not authenticated (because the connection is not from
the user receiving mail), so I can't get tickets on the machine
attempting delivery, and therefore I cannot write directly to a
user's home directory.
We're currently using NFSv3 without any security, which is working
fine, but without control of the entire Ethernet segment I'd really
like to authenticate clients on some level. I know I could do
something like an SSH tunnel, but that make error reporting and
recovery more difficult and still leaves the NFS server open to
attack from anyone with shell access on an NFS client machine.
Is it possible to mount with host-level krb5 security and still use
auth_sys file permission enforcement? If so how -- I haven't found
any documentation to this affect. Is there some other way around this
problem?
Thanks for your help,
Zach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1919 bytes
Desc: not available
Url : http://linux-nfs.org/pipermail/nfsv4/attachments/20061218/5828c64a/attachment-0006.bin
More information about the NFSv4
mailing list