From: Lukas Hejtmanek <xhejtman@ics.muni.cz>
To: "Myklebust, Trond" <Trond.Myklebust@netapp.com>
Cc: "J. Bruce Fields" <bfields@fieldses.org>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>
Subject: Re: NFSv4 backchannel authentication
Date: Tue, 7 Aug 2012 18:12:11 +0200 [thread overview]
Message-ID: <20120807161211.GL11089@ics.muni.cz> (raw)
In-Reply-To: <1344355148.5781.31.camel@lade.trondhjem.org>
On Tue, Aug 07, 2012 at 03:59:09PM +0000, Myklebust, Trond wrote:
> Yes, you can do this, however that requires the server to be configured
> to accept rpcsec_gss and auth_sys from that client.
> It also allows anyone to spoof a callback to your client.
> Furthermore, it would allow anybody to send SETCLIENTID calls using the
> same client id to the server and so they can declare your client to have
> rebooted (so that all state is lost), they can divert callbacks to
> another machine, ....
> IOW: it is not really something you want to allow on an untrusted
> network.
well, ok, thanks for anwsers. However, it seems that while NFS server's name
is server-home.domain.com (floating name), and true hostname is
server1.domain.com, it does not matter that callback is authenticated with
server1.domain.com instead of server-home.domain.com.
Is this expected? Or is it a bug?
I would suppose that client rejects authentication of the backchannel from
server that sends nfs/server1.domain.com KRB principal instead of expected
nfs/server-home.domain.com.
The client mounts server-home.domain.com with sec=krb5i. Using debugs I can
see that the server picks up nfs/server1.domain.com key from /etc/krb5.keytab
and the client seems to be happy with that (context is established).
--
Lukáš Hejtmánek
next prev parent reply other threads:[~2012-08-07 16:12 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-06 13:55 NFSv4 backchannel authentication Lukas Hejtmanek
2012-08-07 15:41 ` J. Bruce Fields
2012-08-07 15:59 ` Myklebust, Trond
2012-08-07 16:12 ` Lukas Hejtmanek [this message]
2012-08-08 7:58 ` Zdenek Salvet
2012-08-08 13:18 ` Myklebust, Trond
2012-08-09 8:06 ` Zdenek Salvet
2012-08-09 14:45 ` J. Bruce Fields
2012-08-09 15:53 ` Myklebust, Trond
2012-08-09 16:28 ` Lukas Hejtmanek
2012-08-09 16:30 ` Myklebust, Trond
2012-08-09 16:38 ` J. Bruce Fields
2012-08-09 16:49 ` Myklebust, Trond
2012-08-09 16:50 ` J. Bruce Fields
2012-08-09 17:58 ` Zdenek Salvet
2012-08-09 18:01 ` [PATCH] README: note gssd/svcgssd may be needed on both sides J. Bruce Fields
2012-08-10 5:20 ` NFSv4 backchannel authentication NeilBrown
2012-08-10 17:23 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120807161211.GL11089@ics.muni.cz \
--to=xhejtman@ics.muni.cz \
--cc=Trond.Myklebust@netapp.com \
--cc=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.