Secure NFSv4 mounts and daemons

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ralph Zack <ralphz@zoho.com>
To: linux-nfs@vger.kernel.org
Subject: Secure NFSv4 mounts and daemons
Date: Thu, 15 Jan 2015 00:12:01 +0100	[thread overview]
Message-ID: <54B6F7C1.5040208@zoho.com> (raw)

Hi all,

I have a number of NFSv4 shares which should only be accessible after
successful authentication, for which reason they are exported with
sec=krb5p. However, this method requires the user to obtain a kerberos
ticket to access files on the share, which is fine for regular users but
causes issues for daemons which are not kerberos-aware.

What is the common way to handle this problem? It can hardly be the only
solution to patch each service to obtain a ticket at startup. Please
correct me if I'm wrong, but I could not find any mechanism besides
kerberos that provides encryption and authentication for NFS shares. I'd
be fine with authentication on a host level, I mainly want to ensure
that only trusted machines can accesses these shares and that all
traffic is encrypted. Without the overhead of establishing a VPN
connection between client and server, in case anyone was going to
suggest that ;)

Cheers,

Ralph

next             reply	other threads:[~2015-01-14 23:18 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-01-14 23:12 Ralph Zack [this message]
2015-01-16  9:06 ` Secure NFSv4 mounts and daemons Paul van der Vlis
2015-01-16 21:36   ` Benjamin Coddington
2015-01-17 11:53     ` Ralph Zack
2015-01-16 23:11 ` Anthony Messina

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=54B6F7C1.5040208@zoho.com \
    --to=ralphz@zoho.com \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.