Re: RFC: A new NFS mount option to encourage use of Kerberized mounts

Reply: Rick Macklem : "Re: RFC: A new NFS mount option to encourage use of Kerberized mounts"
In reply to: Rick Macklem : "RFC: A new NFS mount option to encourage use of Kerberized mounts"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Pete Wright <pete_at_nomadlogic.org>
Date: Tue, 14 Mar 2023 18:53:46 UTC

On Mon, Mar 13, 2023 at 07:25:07PM -0700, Rick Macklem wrote:
> Hi,
> 
> I have implemented a new mount option for NFSv4.1/4.2 mounts
> that I hope will encourage use of Kerberos and TLS to help
> secure NFS mounts.  Although I do not know why users choose
> to not use Kerberized NFS mounts, I think that the administrative
> issues related to the "machine credential" is a factor.
> This new option, which I have called "syskrb5" (feel free to
> suggest a better name), avoids the need for a Kerberos machine
> credential.
> 
<snip>
> 
> So, does this sound like something that should be committed
> to FreeBSD?
>

speaking as an enduser..

this sounds pretty fantastic, i have several workloads in public
cloud that use NFS, and having this added layer of auth would be
really beneficial from a security perspective.  i also like how
it should be much easier for me to manage as well.

one question - do you see other NFS implementations getting ready
to roll out this support on their end?  i ask because it would be
nice to have this client support working and well tested by the time
other vendors start offering this support server side.  for example
AWS EFS.

thanks!
-pete

-- 
Pete Wright
pete@nomadlogic.org