From: Tom Haynes <tdh-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: Re: Security negotiation
Date: Fri, 10 Jul 2009 17:38:43 -0500 [thread overview]
Message-ID: <4A57C2F3.4070109@excfb.com> (raw)
In-Reply-To: <2BA1057E-5A8E-4780-B8F2-FCC8BA3846CC@oracle.com>
Chuck Lever wrote:
> On Jul 10, 2009, at 4:55 PM, Tom Haynes wrote:
>
>> The second option would push AUTH_NONE to the end of the list, which
>> corresponds to my thinking of it as a wild card.
>
> The problem with the server's auth list is that it is a list of _all_
> flavors that the server supports.
For us it is a list of flavors supported on that export.
Our default export is basically sec=sys,rw.
To get all of the flavors, the admin would have to configure them in.
>
> I was wondering when a server would not want to order the flavor list
> by strongest to weakest. We have the use case of the kerberos 5
> pseudoflavors: clients should probably use krb5 over krb5p by
> default, as this provides good security without a lot of performance
> overhead. But krb5p is stronger security than krb5.
When they have different access lists.
If they have the same access lists, then the server is free to order them...
share -F nfs -o sec=sys:none:krb5,rw /foo
share -F nfs -o sec=sys,ro,sec=krb5p,rw,root=@192.168.2.0,sec=krb5,rw /bar
In the first, we don't care how the server presents them. In the second,
the list would be: sys krb5p krb5.
next prev parent reply other threads:[~2009-07-10 22:38 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-10 18:07 Security negotiation Tom Haynes
[not found] ` <4A578372.1020005-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org>
2009-07-10 18:57 ` Chuck Lever
2009-07-10 20:11 ` Chuck Lever
2009-07-10 20:55 ` Tom Haynes
[not found] ` <4A57AADE.8080002-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org>
2009-07-10 21:37 ` Chuck Lever
2009-07-10 22:38 ` Tom Haynes [this message]
[not found] ` <4A57C2F3.4070109-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org>
2009-07-10 22:45 ` Trond Myklebust
[not found] ` <1247265922.8254.30.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-07-13 16:07 ` Tom Haynes
2009-07-13 16:20 ` Trond Myklebust
[not found] ` <1247502007.14524.3.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-07-13 16:44 ` Tom Haynes
2009-07-13 17:41 ` J. Bruce Fields
2009-07-14 18:24 ` Tom Haynes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A57C2F3.4070109@excfb.com \
--to=tdh-8adz+hgo7noavxtiumwx3w@public.gmane.org \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox