Host based authentication
Brent Callaghan
brentc at apple.com
Thu Apr 19 17:42:16 EDT 2007
On Apr 19, 2007, at 1:43 PM, Jim Davis wrote:
> Ian Grant wrote:
>
>>
>> What I was asking about is whether there is a way to get an NFSV4
>> server to trust the clients and allow all privs to user's files, but
>> only when the client machine can supply machine credentials. So it's
>> host-based authentication, but with machine credentials instead of
>> just by IP address.
>
> Ideally there should be. While not a full-fledged security solution
> it
> would help a lot in situations where, say, students use their
> laptops to
> masquerade as a system listed in /etc/exports. Now to get protection
> against that, it seems we have to implement Kerberos with NFSv{3,4},
> which is... complicated. To put it mildly.
>
> There's an interesting slide from http://nasconf.com/pres03/eisler.pdf
> that refers to this lack:
>
> " In hindsight, NFS ...
>
> • at mount time should have authenticated to
> server via per-host passwords (Kerberos
> would have followed)"
>
> Think how much easier that would be than explaining TGTs, kinit, and
> the
> mysteries of PAM to your users (or trying to decipher the mysteries of
> PAM yourself), and what a big step up over AUTH_SYS that would have
> been
> too.
Yes, stronger host-based security would be useful and might avoid some
of the overhead in administering Kerberos.
But the most common complaint about NFS security relates to home
directories,
and host-based security does nothing to prevent one student messing
with another student's (or staff member's) home directory via the "su"
command.
Brent
More information about the NFSv4
mailing list