Date: Mon, 15 Apr 2024 21:53:13 +0200 From: Andreas Kempe <kempe@lysator.liu.se> To: Rick Macklem <rick.macklem@gmail.com> Cc: freebsd-fs@freebsd.org Subject: Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access Message-ID: <Zh2FqXMQgq9rcc-A@shipon.lysator.liu.se> In-Reply-To: <CAM5tNy5a-CALZdrHhCQ1akmR3=BqeEK8EFb6UxZ%2BCOp38u3bTg@mail.gmail.com> References: <CAM5tNy7YM6bRKTX3pLR8hC-a-cmxXA=wv4j0E8cBWGthbxzLdQ@mail.gmail.com> <ZgRUqkl1zVxMPt6K@shipon.lysator.liu.se> <CAM5tNy68W16ut4vR1Y9xxPwaU%2BT%2Bt8fU8dwg3DbfhMT5h5iEDQ@mail.gmail.com> <ZgVKehV_9ePUBdwd@shipon.lysator.liu.se> <CAM5tNy4ye6BwYAZ%2BVYQOgDnSjAmyg%2BCCu=XCm-%2BDZucfrfwgKw@mail.gmail.com> <CAM5tNy4%2BbUc0VMY8i_E9P-pT0CEOXHpKzitMuKYzydH465OBGg@mail.gmail.com> <ZgiIAyDKPlCr1c9C@shipon.lysator.liu.se> <CAM5tNy5GbbZSJ3sOALx6zUkZz_7BJGzQ_63srVK88RFecb_eCQ@mail.gmail.com> <Zhv1jtKU8lRdKOul@shipon.lysator.liu.se> <CAM5tNy5a-CALZdrHhCQ1akmR3=BqeEK8EFb6UxZ%2BCOp38u3bTg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Apr 14, 2024 at 12:30:22PM -0700, Rick Macklem wrote: > On Sun, Apr 14, 2024 at 8:26 AM Andreas Kempe <kempe@lysator.liu.se> wrote: > > Am I correct in thinking that Kerberos isn't really designed to be > > used for only authenticating the machine? Users having to always have > > their own valid Kerberos ticket doesn't really work for us. > Yes. The "host" keytab credential is a "hack". Kerberos calls them > service principals and they were not intended to authenticate a machine > when Kerberos was designed. > > If users are running cron jobs, then one way around the problem > is to have the KDC issue renewable tickets and then run a daemon > (can't remember the name, but it is easy to find and opensourced) > that renews TGTs. (This only works up to the renew limit of the KDC > config.) > I have seen that this should be possible, the Linux SSSD daemon can do that. We do still have the issue of users having to log on to every system after a reboot to init a ticket so I still don't think it would be ideal for us. > NFS-over-TLS (called RPC-over-TLS by the Linux folk) does allow > a client to provide a X.509 certificate during TLS handshake to > identify the client machine and the TLS encrypts everything on > the wire to avoid middleman attacks or snoopers. > It does not identify users on the server, unless TLS identity > squashing is used via the X.509 certificate to make all RPCs > done by a user. (This has the advantage that it is not "nobody", > but is only useful for things like laptops, that are only used by > one user. It does have the advantage that there are no tickets > to expire, although there is a, usually long, expiration on the X.509 > certificate.) > If I'm running NFS with TLS without TLS identity squashing, does this mean that users are resolved the same way they are with sec=sys? If so, this could be the solution we are looking for if I can make sure that all our Linux systems that need to mount have a new enough Linux kernel to support it. // Andreas Kempe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Zh2FqXMQgq9rcc-A>