Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter with kinit only (no /etc/krb5.conf access)

Nico Williams nico at cryptonector.com
Tue Apr 15 16:06:21 EDT 2014


On Tue, Apr 15, 2014 at 2:48 PM, Tomas Kuthan <tomas.kuthan at oracle.com> wrote:
> On 04/15/14 21:16, Nico Williams wrote:
>> That said, it's best practice to key all devices.  Still, nothing in
>> NFSv4 requires such keys to be named in host-based ways.
>
> Makes sense ... but still, basing on host is a nifty way of constructing
> unique principal name. Is there a meaningful alternative for mobile devices?

But it isn't nifty.  You quickly run into the issue that the hostname
has to have a record in whatever manages your DNS zones, else someone
might use that hostname and now some device has keys for its
principal.

Nico
--


More information about the Kerberos mailing list