Re: NFSv2/3 requiring RPC_AUTH_GSS

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "J. Bruce Fields" <bfields@fieldses.org>
To: Benjamin Bennett <ben@phys.psu.edu>
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>, nfs@lists.sourceforge.net
Subject: Re: NFSv2/3 requiring RPC_AUTH_GSS
Date: Mon, 7 Mar 2005 10:50:26 -0500	[thread overview]
Message-ID: <20050307155026.GC25025@fieldses.org> (raw)
In-Reply-To: <1110016071.21281.70.camel@roadrunner.phys.psu.edu>

On Sat, Mar 05, 2005 at 04:47:52AM -0500, Benjamin Bennett wrote:
> The problem I saw (can't require gss for v3 access) seems to be the
> result of two things:
> 
>   A) mountd needs to see the v3 host in exports (or it will return
> unknown host). So even though we just want to use gss, we need another
> export (auth_unix) to satisfy this.

Oh, right.

>   I wrote a little code to unconditionally send back a successful mount
> response with filehandle and included gss flavors. This led to the
> second problem:
> 
>   B) knfsd also validates host, so we again need the same auth_unix
> export as in A.

I'm not sure what you mean by "knfsd also validates host".  I think the
client mount program sends a NULL rpc call to nfsd, is that what you're
talking about?

>   The most simple work-around I could think of was making the auth_unix
> export ro, all_squash. But that still allows auth_unix anyone to mount
> and be nobody ;-)
> 
>   Whether a client is going to use gss for nfs transactions isn't
> necessarily known at mount time, so we can't just have mountd ignore
> hostnames when gss is going to be used.

Well, I suppose we could require mount to contact mountd using gss.
That seems much more sensible to me than what rfc2623 recommends.  Maybe
I'm missing some obvious problem.

--b.

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

     prev parent reply	other threads:[~2005-03-07 17:00 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-03-03 22:54 NFSv2/3 requiring RPC_AUTH_GSS Benjamin Bennett
2005-03-04 19:03 ` Trond Myklebust
2005-03-05  6:45   ` J. Bruce Fields
2005-03-05  9:47     ` Benjamin Bennett
2005-03-07 15:50       ` J. Bruce Fields [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050307155026.GC25025@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=ben@phys.psu.edu \
    --cc=nfs@lists.sourceforge.net \
    --cc=trond.myklebust@fys.uio.no \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.