From: "J. Bruce Fields" <bfields@fieldses.org>
To: Jeff Layton <jlayton@redhat.com>
Cc: Steve Dickson <SteveD@redhat.com>,
Chuck Lever <chuck.lever@oracle.com>,
Trond Myklebust <Trond.Myklebust@netapp.com>,
Linux NFS Mailing list <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] Adding the nfs4_use_min_auth module parameter
Date: Fri, 8 Nov 2013 10:04:35 -0500 [thread overview]
Message-ID: <20131108150435.GA3533@fieldses.org> (raw)
In-Reply-To: <20131108082202.4032f1a2@tlielax.poochiereds.net>
On Fri, Nov 08, 2013 at 08:22:02AM -0500, Jeff Layton wrote:
> On Fri, 08 Nov 2013 07:41:32 -0500
> Steve Dickson <SteveD@redhat.com> wrote:
> > No. I think the concern here, at least my concern, is the lack of management.
> > We are forcing admins to use krb5i in lease management when its not necessary
> > and there is no way to turn it off.
> >
>
> I don't think that's really the case. The idea was to have the client
> attempt to use krb5i if it's available, and then to fall back to
> AUTH_SYS if it isn't. This would be *absolutely* no big deal if the
> GSSAPI upcall succeeded or failed immediately instead of requiring this
> timeout when the daemon isn't running.
I'm also still a little confused about the security model. We discussed
it before but I can't remember if it was really resolved.
It makes sense to me as long as we insist on krb5i whenever we find a
keytab.
But my understanding was that with the current implementation it's
possible we could find a keytab, attempt the krb5i connection, and
*then* fallback silently on auth_sys if krb5i fails. Is that right?
In that case I don't see the point of the krb5i any more: any attacker
that can spoof rpc replies can force the fallback to auth_sys.
--b.
next prev parent reply other threads:[~2013-11-08 15:04 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-07 19:09 [PATCH] Adding the nfs4_use_min_auth module parameter Steve Dickson
2013-11-07 19:25 ` Chuck Lever
2013-11-07 21:01 ` Jeff Layton
2013-11-07 21:40 ` Steve Dickson
2013-11-07 22:04 ` Jeff Layton
2013-11-07 21:35 ` Steve Dickson
2013-11-07 23:05 ` Chuck Lever
2013-11-08 12:41 ` Steve Dickson
2013-11-08 13:22 ` Jeff Layton
2013-11-08 15:00 ` Steve Dickson
2013-11-08 15:12 ` Jeff Layton
2013-11-08 16:10 ` Steve Dickson
2013-11-08 16:17 ` J. Bruce Fields
2013-11-08 16:19 ` Steve Dickson
2013-11-08 16:22 ` J. Bruce Fields
2013-11-08 16:28 ` Steve Dickson
2013-11-08 16:39 ` J. Bruce Fields
2013-11-08 16:45 ` Steve Dickson
2013-11-08 18:12 ` Chuck Lever
2013-11-08 18:09 ` Chuck Lever
2013-11-08 20:14 ` J. Bruce Fields
2013-11-08 20:32 ` Steve Dickson
2013-11-09 2:04 ` NeilBrown
2013-11-08 16:27 ` Weston Andros Adamson
2013-11-08 16:38 ` Steve Dickson
2013-11-08 15:04 ` J. Bruce Fields [this message]
2013-11-08 15:54 ` Chuck Lever
2013-11-08 16:14 ` J. Bruce Fields
2013-11-08 17:58 ` Chuck Lever
2013-11-08 18:46 ` Chuck Lever
2013-11-08 21:09 ` J. Bruce Fields
2013-11-08 16:17 ` Steve Dickson
2013-11-08 15:46 ` Chuck Lever
2013-11-08 21:25 ` Steve Dickson
2013-11-07 19:26 ` Myklebust, Trond
2013-11-07 21:25 ` Steve Dickson
2013-11-07 21:39 ` Myklebust, Trond
2013-11-07 21:57 ` Steve Dickson
2013-11-07 22:29 ` Myklebust, Trond
2013-11-08 12:21 ` Steve Dickson
2013-11-08 14:30 ` Myklebust, Trond
2013-11-08 15:08 ` Steve Dickson
2013-11-08 15:16 ` Myklebust, Trond
2013-11-08 16:31 ` Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131108150435.GA3533@fieldses.org \
--to=bfields@fieldses.org \
--cc=SteveD@redhat.com \
--cc=Trond.Myklebust@netapp.com \
--cc=chuck.lever@oracle.com \
--cc=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.