Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 09 Apr 2024 22:24:24 UTC
On Tue, Apr 9, 2024 at 2:57 PM Andreas Kempe <kempe@lysator.liu.se> wrote: > > Thank you for all your help, Rick! > > I have spent a few too many hours trying to get this to work and have > decided to give up on Kerberos and keep running sec=sys for the time > being. Once all our Linux clients become modern enough, I might give > TLS a shot instead. Just fyi (and for others reading this), using NFS over TLS provides somewhat different security. Both sec=krb5p and NFS over TLS provide encryption on the wire, but Kerberos provides user authentication and TLS does not. TLS does optionally allow the client to provide a X.509 certificate during TLS handshake, which is typically used to identify the client system and not a user. There is one exception for NFS over TLS, typically referred to as "TLS identity squashing" where a single user is identified in the TLS certificate the client presents to the server. For this case, all RPCs on the mount are done as that user. (Useful for cases like personal laptops/desktops, but not for generic mounts.) So, if your main security concern is "unencrypted data on the wire" NFS over TLS is attractive. However, if your main security concern is "malicious users on client machines", NFS over TLS does not help much, unless you can map all users on the client to one user on the server. rick > > Best regards, > Andreas Kempe