* when will we be able to use LIPKEY on NFS4 on Linux?
@ 2010-09-27 8:35 Zhang Weiwu
2010-09-27 12:24 ` Trond Myklebust
0 siblings, 1 reply; 3+ messages in thread
From: Zhang Weiwu @ 2010-09-27 8:35 UTC (permalink / raw)
To: linux-nfs
Hello.
Quote from 2006 article:
http://www.ibm.com/developerworks/systems/library/es-nfs-security/index.html#N100AF
In /a few years/, NFS Version 4 implementations will start claiming
support for the public key-based security mechanism (SPKM and LIPKEY).
My question:
1. Is LIPKEY already implemented in some NFS4 implementation?
Particularly, I am interested using it on Debian Linux.
2. I could not manage to find a how-to on using LIPKEY, e.g. where to
store the public key and certificates, where to configure
username/password for client authentication. Is there one existing?
Thanks in advance!
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: when will we be able to use LIPKEY on NFS4 on Linux?
2010-09-27 8:35 when will we be able to use LIPKEY on NFS4 on Linux? Zhang Weiwu
@ 2010-09-27 12:24 ` Trond Myklebust
2010-09-27 15:01 ` Zhang Weiwu
0 siblings, 1 reply; 3+ messages in thread
From: Trond Myklebust @ 2010-09-27 12:24 UTC (permalink / raw)
To: Zhang Weiwu; +Cc: linux-nfs
On Mon, 2010-09-27 at 16:35 +0800, Zhang Weiwu wrote:
> Hello.
>
> Quote from 2006 article:
> http://www.ibm.com/developerworks/systems/library/es-nfs-security/index.html#N100AF
>
> In /a few years/, NFS Version 4 implementations will start claiming
> support for the public key-based security mechanism (SPKM and LIPKEY).
>
>
> My question:
>
> 1. Is LIPKEY already implemented in some NFS4 implementation?
> Particularly, I am interested using it on Debian Linux.
> 2. I could not manage to find a how-to on using LIPKEY, e.g. where to
> store the public key and certificates, where to configure
> username/password for client authentication. Is there one existing?
>
> Thanks in advance!
We're likely to drop the requirement that SPKM3/LIPKEY be a mandatory
security mechanism for NFSv4 in the revised RFC3530 (a.k.a. RFC3530bis)
that is being drafted.
The reason is that the SPKM3 mechanism (on which LIPKEY relies) appears
to contain inherent security flaws that are difficult to fix. The IETF
security group have therefore pretty much killed it as an option.
Other alternatives to SPKM3 are being discussed, but I'm not aware of
anything that replaces LIPKEY.
Cheers
Trond
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: when will we be able to use LIPKEY on NFS4 on Linux?
2010-09-27 12:24 ` Trond Myklebust
@ 2010-09-27 15:01 ` Zhang Weiwu
0 siblings, 0 replies; 3+ messages in thread
From: Zhang Weiwu @ 2010-09-27 15:01 UTC (permalink / raw)
To: Trond Myklebust; +Cc: linux-nfs
On 2010年09月27日 20:24, Trond Myklebust wrote:
>
> We're likely to drop the requirement that SPKM3/LIPKEY ...
> SPKM3 mechanism (on which LIPKEY relies) appears
> to contain inherent security flaws that are difficult to fix.
Thanks for the clear answer. We have a few setups where an
infrastructure is close to not possible (Kerberos) thus at the moment we
are deciding between switching to samba for username/password
authentication from NFS or uses the long-expected LIPKEY. samba might
have other inherent security flaws but practically security is not a
priority of our concern at the moment. Your information is directly
helpful for making a decision:) thanks!
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-09-27 15:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-27 8:35 when will we be able to use LIPKEY on NFS4 on Linux? Zhang Weiwu
2010-09-27 12:24 ` Trond Myklebust
2010-09-27 15:01 ` Zhang Weiwu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox