kernel key ring usage ETA ?
Kevin Coffman
kwc at citi.umich.edu
Thu Mar 22 10:25:32 EDT 2007
On 3/22/07, Guillaume Rousse <Guillaume.Rousse at inria.fr> wrote:
> Hello.
>
> I'm reading in the FAQ (and also in other documents) than there is an
> intended switch to use kernel to store gss credentials, instead of file,
> which causes some security issues currently. When is this planned ? Is
> this already available in kernel patches from
> http://www.citi.umich.edu/projects/nfsv4/linux/kernel-patches/ ?
My intention is to get it completed and available ASAP.
I'm curious what security issues you have with storing credentials in
the file system.
The current design of the keyring stuff allows credentials to live
"wherever" and the keyring is used by gssd as a way to locate the
correct credentials to use when creating a context. There is an
option to store the actual credentials themselves in the keyring
(there is a keyring credentials cache implementation in MIT Kerberos
1.6), but it is not required.
To partially address your other message, there is no plan to make use
of keyrings on the server.
More information about the NFSv4
mailing list