From: Benjamin Coddington <bcodding@redhat.com>
To: Paul van der Vlis <paul@vandervlis.nl>
Cc: linux-nfs@vger.kernel.org
Subject: Re: Secure NFSv4 mounts and daemons
Date: Fri, 16 Jan 2015 16:36:15 -0500 (EST) [thread overview]
Message-ID: <alpine.OSX.2.19.9992.1501161628010.498@planck.local> (raw)
In-Reply-To: <m9akb5$ig3$1@ger.gmane.org>
On Fri, 16 Jan 2015, Paul van der Vlis wrote:
> Hi Ralph,
>
> Op 15-01-15 om 00:12 schreef Ralph Zack:
> > Hi all,
> >
> > I have a number of NFSv4 shares which should only be accessible after
> > successful authentication, for which reason they are exported with
> > sec=krb5p. However, this method requires the user to obtain a kerberos
> > ticket to access files on the share, which is fine for regular users but
> > causes issues for daemons which are not kerberos-aware.
> >
> > What is the common way to handle this problem? It can hardly be the only
> > solution to patch each service to obtain a ticket at startup. Please
> > correct me if I'm wrong, but I could not find any mechanism besides
> > kerberos that provides encryption and authentication for NFS shares. I'd
> > be fine with authentication on a host level, I mainly want to ensure
> > that only trusted machines can accesses these shares and that all
> > traffic is encrypted. Without the overhead of establishing a VPN
> > connection between client and server, in case anyone was going to
> > suggest that ;)
>
> I've once seen that something like this makes a ticket:
> su -c "echo password | kinit user" user
> But never used it in reality.
>
> Maybe you can ask this question better in the Kerberos mailinglist.
> I think this is not a good solution...
>
> With regards,
> Paul van der Vlis
Wow, looks like kinit /will/ read your password from stdin. I had no idea.
I've done this with a keytab and cron job running as the
service's user to keep the credential caches for the service's user fresh.
Kinit should be something like `kinit -kt /keyab/file batch/host@realm.com`
Run your jobs more frequently than the ticket expiry time and everything
should be fine.
Ben
next prev parent reply other threads:[~2015-01-16 21:36 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-14 23:12 Secure NFSv4 mounts and daemons Ralph Zack
2015-01-16 9:06 ` Paul van der Vlis
2015-01-16 21:36 ` Benjamin Coddington [this message]
2015-01-17 11:53 ` Ralph Zack
2015-01-16 23:11 ` Anthony Messina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.OSX.2.19.9992.1501161628010.498@planck.local \
--to=bcodding@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=paul@vandervlis.nl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox