Re: Best approach for authenticating hosts for NFS (v3)?

[Steve Dickson <SteveD@redhat.com>]

On 11/05/2014 11:45 AM, Chris Siebenmann wrote:
>> On 11/04/2014 11:53 AM, Chris Siebenmann wrote:
>>> PS: 'switch to NFS v4 to strongly authenticate user requests' is not an
>>>     option for us. We specifically value things that cannot be done
>>>     with true verification of user identification, like cron, and we
>>>     don't have and don't want to build the infrastructure that would
>>>     be required for strongly authenticated NFS v4.
>> The exact same "strongly authenticate" that in v4 is available
>> with v3. NFS secure mounts (-o krb5) are available 
>> with all NFS protocol versions.
>>
>> Tying NFS secure mounts with an FreeIPA environment should work
>> out well..    
> 
>  NFS v4 isn't the problem; strong authentication of user identities (and
> Kerberos) is the problem. Our environment and our users rely on the many
> forms that setuid takes[*] and as far as I know those are impossible with
> strong identification (in any NFS or remote filesystem protocol) because
> the point of strong authentication is that the server no longer trusts
> clients when they say 'honest, I'm working on behalf of uid <X>'.
Gotta... Interesting... I was just talking to a customer about 
this very problem...  Not being able to tie multiple GSS contexts 
to a single uid... 

steved.
> 
> (Instead the client must prove it by presenting a secret only the user
> is supposed to have access to, which the user must have somehow loaded
> on the client.)
> 
> 	- cks
> [*: including but not limited to crontabs, .forward files, user run web
>     apps and CGI-BINs, and detached processes left running for weeks.
> ]
>