Switching identity using kinit/kdestroy for NFSv4 mounts doesn't work

Brandon Allbery ballbery at sinenomine.net
Fri Mar 13 10:05:15 EDT 2015


On Fri, 2015-03-13 at 14:55 +0100, Robert Wehn wrote:
> There is a bug report/suggested patch which seems to make it possible
> but never seemed to get into the kernel:
> http://www.spinics.net/lists/linux-nfs/msg34236.html
> 
> What is your opinion to this behavior?
> Do you think this is reasonable from kerberos point of view, or do you
> also think this needs to be changed?

This isn't Kerberos's fault, but NFS's; it's how it avoids having token
management like AFS uses (extra aklog step to register ticket with
filesystem and unlog to deregister it). Personally, I prefer AFS's way
of dealing with it; the whole business about snooping ticket caches and
caching its own private copy is concerning security-wise and seems like
it would easily become confused.

-- 
brandon s allbery kf8nh                           sine nomine associates
allbery.b at gmail.com                              ballbery at sinenomine.net
unix openafs kerberos infrastructure xmonad        http://sinenomine.net



More information about the Kerberos mailing list