Switching identity using kinit/kdestroy for NFSv4 mounts doesn't work
Robert Wehn
robert.wehn at rz.uni-augsburg.de
Mon Mar 16 05:33:18 EDT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello *
@Brandon, Ben:
On 13.03.2015, 15:05 Brandon Allbery wrote:
> ... the whole business about snooping ticket caches and caching its
> own private copy is concerning security-wise and seems like it
> would easily become confused.
On 13.03.2015, 16:53 Benjamin Kaduk wrote:
> See Brandon's response as well, but from a security perspective,
> the kernel NFS implementation is wrong to cache things for so
> long, especially without providing a way to invalidate a cached
> entry.
It's nice to hear that we're not the only ones thinking this is not
such a good idea.
@Simo
On 13.03.2015 at 17:24 Simo Sorce wrote:
> Note that NFS does not cache a ticket, it simply does not destroy
> the GSS Session after it has been created.
didn't get this detail from our test
> An interface to allow to destroy the NFS's user session on kdestroy
> has been discussed with NFS upstream before but it hasn't gone
> anywhere yet.
Do you refer to these discussions or is there something else we missed?
http://thread.gmane.org/gmane.linux.nfs/46234
https://fedorahosted.org/gss-proxy/ticket/1
It looks like the Problem is well known and there have been ideas to
solve that which never got into the Kernel:
http://www.spinics.net/lists/linux-nfs/msg34236.html
http://www.citi.umich.edu/projects/asci/icsi-alpha/nfs-utils-patches/1.0.10-asci-2/nfs-utils-1.0.10-asci-017-add_nfslogin.dif
Has one of you an idea how the situation can be pushed to the right
direction?
Our Canonical Support Contact created a bug here
https://bugzilla.kernel.org/show_bug.cgi?id=93891
and maybe commenting that from the Kerberos community may help ...
Robert.
- --
Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)
iQEcBAEBAgAGBQJVBqNeAAoJEP/Qkk76z7S5xGgH/18BYSkZG6pma77d1jrCPIik
o1IUb8ROQ/YHK4PQ3XRNI+spALzUQT+KECBsBCbw5VRi2DVcvQrKta26DdzVRo1q
10oljma4sFDVPURXmBafVbT5IIE9LZ1XkKsyNrzgFN/g7ATikcnxhADJIenG3ICp
Rj0hjmZw4leSftK4IrsN28bZjKarB61EOvmCF+9M90bmoqt4R/Bpvq63ZDYIneAR
oMS/iq4EAZHcv35kWwN65Dh1Qxb5ywedwBf/CxG06DNX9J3VGcNDe+f9E4vMQDAP
tDb8HpitstTcva0OaJYpYxr1FJ48OVRlZZdCoxfaJVgaV0Nd0PGHTQrrFnPaOlU=
=gv2z
-----END PGP SIGNATURE-----
More information about the Kerberos
mailing list