Re: Secure NFSv4 mounts and daemons

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paul van der Vlis <paul@vandervlis.nl>
To: linux-nfs@vger.kernel.org
Subject: Re: Secure NFSv4 mounts and daemons
Date: Fri, 16 Jan 2015 10:06:45 +0100	[thread overview]
Message-ID: <m9akb5$ig3$1@ger.gmane.org> (raw)
In-Reply-To: <54B6F7C1.5040208@zoho.com>

Hi Ralph,

Op 15-01-15 om 00:12 schreef Ralph Zack:
> Hi all,
> 
> I have a number of NFSv4 shares which should only be accessible after
> successful authentication, for which reason they are exported with
> sec=krb5p. However, this method requires the user to obtain a kerberos
> ticket to access files on the share, which is fine for regular users but
> causes issues for daemons which are not kerberos-aware.
> 
> What is the common way to handle this problem? It can hardly be the only
> solution to patch each service to obtain a ticket at startup. Please
> correct me if I'm wrong, but I could not find any mechanism besides
> kerberos that provides encryption and authentication for NFS shares. I'd
> be fine with authentication on a host level, I mainly want to ensure
> that only trusted machines can accesses these shares and that all
> traffic is encrypted. Without the overhead of establishing a VPN
> connection between client and server, in case anyone was going to
> suggest that ;)

I've once seen that something like this makes a ticket:
su -c "echo password | kinit user" user
But never used it in reality.

Maybe you can ask this question better in the Kerberos mailinglist.
I think this is not a good solution...

With regards,
Paul van der Vlis





-- 
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl/

next prev parent reply	other threads:[~2015-01-16  9:06 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-01-14 23:12 Secure NFSv4 mounts and daemons Ralph Zack
2015-01-16  9:06 ` Paul van der Vlis [this message]
2015-01-16 21:36   ` Benjamin Coddington
2015-01-17 11:53     ` Ralph Zack
2015-01-16 23:11 ` Anthony Messina

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='m9akb5$ig3$1@ger.gmane.org' \
    --to=paul@vandervlis.nl \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.