About the purpose of client host principals for NFS
Marco Rebhan
me at dblsaiko.net
Sat Oct 7 15:21:23 EDT 2023
Hey list,
I'm currently setting up Kerberos for my home network. The main motivation was
to get secure NFS, and as such I've looked at various guides on how to set it
up for that. They (for example, the Arch Wiki[1]) pretty much all tell you to
create principals for the host and NFS service for both the NFS server and
clients that want to connect.
However, after setting up the NFS server and my Linux PC like this, I tested
the whole setup with my MacBook which doesn't have a host principal or any
other krb5 configuration yet (it can find the KDC due to DNS), and to my
surprise it can both obtain a TGT for my user and afterwards also mount the
NFS share.
What purpose does the host principal for clients serve here? I assumed it
would be either used to authenticate hosts before they're allowed to obtain a
TGT, or authenticate for mounting NFS shares, but clearly that's not the case
since it works without. Is it only used so that the network share can be
mounted without a user TGT?
Thanks,
Marco
[1]: https://wiki.archlinux.org/title/Kerberos#NFS_security
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.mit.edu/pipermail/kerberos/attachments/20231007/2801e960/attachment.sig>
More information about the Kerberos
mailing list