From: Chris Siebenmann <cks@cs.toronto.edu>
To: Steve Dickson <SteveD@redhat.com>
Cc: Chris Siebenmann <cks@cs.toronto.edu>,
Linux NFS Mailing list <linux-nfs@vger.kernel.org>
Subject: Re: Best approach for authenticating hosts for NFS (v3)?
Date: Wed, 05 Nov 2014 11:45:55 -0500 [thread overview]
Message-ID: <20141105164555.3958A400746@apps1.cs.toronto.edu> (raw)
In-Reply-To: Your message of Wed, 05 Nov 2014 11:32:12 -0500. <545A510C.4000208@RedHat.com>
> On 11/04/2014 11:53 AM, Chris Siebenmann wrote:
> > PS: 'switch to NFS v4 to strongly authenticate user requests' is not an
> > option for us. We specifically value things that cannot be done
> > with true verification of user identification, like cron, and we
> > don't have and don't want to build the infrastructure that would
> > be required for strongly authenticated NFS v4.
> The exact same "strongly authenticate" that in v4 is available
> with v3. NFS secure mounts (-o krb5) are available
> with all NFS protocol versions.
>
> Tying NFS secure mounts with an FreeIPA environment should work
> out well..
NFS v4 isn't the problem; strong authentication of user identities (and
Kerberos) is the problem. Our environment and our users rely on the many
forms that setuid takes[*] and as far as I know those are impossible with
strong identification (in any NFS or remote filesystem protocol) because
the point of strong authentication is that the server no longer trusts
clients when they say 'honest, I'm working on behalf of uid <X>'.
(Instead the client must prove it by presenting a secret only the user
is supposed to have access to, which the user must have somehow loaded
on the client.)
- cks
[*: including but not limited to crontabs, .forward files, user run web
apps and CGI-BINs, and detached processes left running for weeks.
]
next prev parent reply other threads:[~2014-11-05 16:45 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-04 16:53 Best approach for authenticating hosts for NFS (v3)? Chris Siebenmann
2014-11-05 8:56 ` Christoph Hellwig
2014-11-05 16:32 ` Steve Dickson
2014-11-05 16:45 ` Chris Siebenmann [this message]
2014-11-05 20:21 ` Steve Dickson
2014-11-09 20:50 ` Simo Sorce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141105164555.3958A400746@apps1.cs.toronto.edu \
--to=cks@cs.toronto.edu \
--cc=SteveD@redhat.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox