From: Lukas Hejtmanek <xhejtman@ics.muni.cz>
To: "Myklebust, Trond" <Trond.Myklebust@netapp.com>
Cc: "J. Bruce Fields" <bfields@fieldses.org>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>
Subject: Re: NFSv4 backchannel authentication
Date: Tue, 7 Aug 2012 18:12:11 +0200 [thread overview]
Message-ID: <20120807161211.GL11089@ics.muni.cz> (raw)
In-Reply-To: <1344355148.5781.31.camel@lade.trondhjem.org>
On Tue, Aug 07, 2012 at 03:59:09PM +0000, Myklebust, Trond wrote:
> Yes, you can do this, however that requires the server to be configured
> to accept rpcsec_gss and auth_sys from that client.
> It also allows anyone to spoof a callback to your client.
> Furthermore, it would allow anybody to send SETCLIENTID calls using the
> same client id to the server and so they can declare your client to have
> rebooted (so that all state is lost), they can divert callbacks to
> another machine, ....
> IOW: it is not really something you want to allow on an untrusted
> network.
well, ok, thanks for anwsers. However, it seems that while NFS server's name
is server-home.domain.com (floating name), and true hostname is
server1.domain.com, it does not matter that callback is authenticated with
server1.domain.com instead of server-home.domain.com.
Is this expected? Or is it a bug?
I would suppose that client rejects authentication of the backchannel from
server that sends nfs/server1.domain.com KRB principal instead of expected
nfs/server-home.domain.com.
The client mounts server-home.domain.com with sec=krb5i. Using debugs I can
see that the server picks up nfs/server1.domain.com key from /etc/krb5.keytab
and the client seems to be happy with that (context is established).
--
Lukáš Hejtmánek
next prev parent reply other threads:[~2012-08-07 16:12 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-06 13:55 NFSv4 backchannel authentication Lukas Hejtmanek
2012-08-07 15:41 ` J. Bruce Fields
2012-08-07 15:59 ` Myklebust, Trond
2012-08-07 16:12 ` Lukas Hejtmanek [this message]
2012-08-08 7:58 ` Zdenek Salvet
2012-08-08 13:18 ` Myklebust, Trond
2012-08-09 8:06 ` Zdenek Salvet
2012-08-09 14:45 ` J. Bruce Fields
2012-08-09 15:53 ` Myklebust, Trond
2012-08-09 16:28 ` Lukas Hejtmanek
2012-08-09 16:30 ` Myklebust, Trond
2012-08-09 16:38 ` J. Bruce Fields
2012-08-09 16:49 ` Myklebust, Trond
2012-08-09 16:50 ` J. Bruce Fields
2012-08-09 17:58 ` Zdenek Salvet
2012-08-09 18:01 ` [PATCH] README: note gssd/svcgssd may be needed on both sides J. Bruce Fields
2012-08-10 5:20 ` NFSv4 backchannel authentication NeilBrown
2012-08-10 17:23 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120807161211.GL11089@ics.muni.cz \
--to=xhejtman@ics.muni.cz \
--cc=Trond.Myklebust@netapp.com \
--cc=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).