Re: Secure NFSv4 mounts and daemons

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Anthony Messina <amessina@messinet.com>
To: linux-nfs@vger.kernel.org
Subject: Re: Secure NFSv4 mounts and daemons
Date: Fri, 16 Jan 2015 17:11:06 -0600	[thread overview]
Message-ID: <7292044.Frj4BhIHUy@linux-ws1.messinet.com> (raw)
In-Reply-To: <54B6F7C1.5040208@zoho.com>

[-- Attachment #1: Type: text/plain, Size: 1210 bytes --]

On Thursday, January 15, 2015 12:12:01 AM Ralph Zack wrote:
> I have a number of NFSv4 shares which should only be accessible after
> successful authentication, for which reason they are exported with
> sec=krb5p. However, this method requires the user to obtain a kerberos
> ticket to access files on the share, which is fine for regular users but
> causes issues for daemons which are not kerberos-aware.
> 
> What is the common way to handle this problem? It can hardly be the only
> solution to patch each service to obtain a ticket at startup. Please
> correct me if I'm wrong, but I could not find any mechanism besides
> kerberos that provides encryption and authentication for NFS shares. I'd
> be fine with authentication on a host level, I mainly want to ensure
> that only trusted machines can accesses these shares and that all
> traffic is encrypted. Without the overhead of establishing a VPN
> connection between client and server, in case anyone was going to
> suggest that

I use GSS-Proxy for this:
https://fedorahosted.org/gss-proxy/

-A

-- 
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

     prev parent reply	other threads:[~2015-01-16 23:17 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-01-14 23:12 Secure NFSv4 mounts and daemons Ralph Zack
2015-01-16  9:06 ` Paul van der Vlis
2015-01-16 21:36   ` Benjamin Coddington
2015-01-17 11:53     ` Ralph Zack
2015-01-16 23:11 ` Anthony Messina [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7292044.Frj4BhIHUy@linux-ws1.messinet.com \
    --to=amessina@messinet.com \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.