[BBLISA] Secure, authenticated file serving to untrusted clients
Theo Van Dinter
felicity at kluge.net
Wed Apr 15 11:26:49 EDT 2009
On Wed, Apr 15, 2009 at 10:51 AM, Ben Eisenbraun <bene at klatsch.org> wrote:
> From what I understand of NFSv4, if I set it up to use kerberos, then I can
> do this, since only a user with a valid kerberos ticket will be able to
> access the files on the share. It seems like a kerberized solution could
> work here, but I'm not sure what protocol to use.
We do kerberized NFSv3 for homedirs, shares, etc. Works fine for at
least Linux and Mac OS X. :)
NFSv4 seems to still have fairly weak support out there, both on
clients and servers.
> * Yes, I know that if someone has root on the workstation, then all bets
> are off, since they can trojan kinit to collect passphrases, steal tickets,
> etc. I'm just trying to raise the bar significantly higher than the
> standard NFS level of (in)security.
Beyond that, if you have root (or physical access which leads to root)
you can "su - user" and will have access to their krb tickets,
assuming they're still valid.
More information about the bblisa
mailing list