Help with kerberos+nfs V4 on a webserver using suexec and suphp
Rainer Krienke
krienke at uni-koblenz.de
Mon Mar 16 03:25:48 EDT 2015
Am 13.03.2015 um 11:27 schrieb Robert Wehn:
...
>
> We think the suexec-security-mechanism to be basically incompatible with
> an (ACL- and Kerberos-based) NFSv4 way of security. The NFSv4 security
> has at least to important parts. nfs(5):
> * Transport: cryptographic proof of a user's identity (krb5), integrity
> (krb5i), encryption (krb5p).
> * Permissions: rich ACLs.
>
Yes I think you are right. Kerberos needs to authenticate a user before
allowing this user to access a service like NFS.
This is exactly the problem on a web server where users most often do
not want or need to authenticate just to view a web page but the web
server with kerberos and NFS4 needs to access the html files via NFS
containing the web page. If these files are accessible only via NFS4 and
do not belong to root, access is only granted with a user
authentication. This could be done via a keytab file ad a kinit, but
this does not make sense if you have thousands of users.
In between I think about giving up NFS on this particular user webpage
server. Instead I will probably try to use sshfs to mount user
directorties. Since we mount user directories via automount, sshs has
the charm that we only have to change on automounter map in our setup.
Afterwards user directiores will automatically be mounted via sshfs. I
only tried a test setup until now which works fine, but I don not yet
have any experience about reliability and stability of this setup.
Have a nice day
Rainer
--
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
1001312
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5065 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20150316/688dfe5d/attachment.bin
More information about the Kerberos
mailing list