Host based authentication
Jim Davis
jdavis at CS.Arizona.EDU
Thu Apr 19 16:43:22 EDT 2007
Ian Grant wrote:
>
> What I was asking about is whether there is a way to get an NFSV4
> server to trust the clients and allow all privs to user's files, but
> only when the client machine can supply machine credentials. So it's
> host-based authentication, but with machine credentials instead of
> just by IP address.
Ideally there should be. While not a full-fledged security solution it
would help a lot in situations where, say, students use their laptops to
masquerade as a system listed in /etc/exports. Now to get protection
against that, it seems we have to implement Kerberos with NFSv{3,4},
which is... complicated. To put it mildly.
There's an interesting slide from http://nasconf.com/pres03/eisler.pdf
that refers to this lack:
" In hindsight, NFS ...
• at mount time should have authenticated to
server via per-host passwords (Kerberos
would have followed)"
Think how much easier that would be than explaining TGTs, kinit, and the
mysteries of PAM to your users (or trying to decipher the mysteries of
PAM yourself), and what a big step up over AUTH_SYS that would have been
too.
More information about the NFSv4
mailing list