About the purpose of client host principals for NFS

[Russ Allbery]

Marco Rebhan via Kerberos <kerberos at mit.edu> writes:

> What purpose does the host principal for clients serve here? I assumed
> it would be either used to authenticate hosts before they're allowed to
> obtain a TGT, or authenticate for mounting NFS shares, but clearly
> that's not the case since it works without. Is it only used so that the
> network share can be mounted without a user TGT?

Yup, pretty much.  There is indeed no need to key clients if you're going
to obtain credentials after login with something like kinit and you don't
care about more sophisticated Kerberos network protection features like
FAST.

The other reason to key a client is so that it can verify that the
password that you enter is indeed a valid Kerberos credential so that you
can use Kerberos to control access to the system itself.  If the system
doesn't have any keys (and you don't have something like anonymous PKINIT
available), then the client computer can't tell the difference between
getting Kerberos credentials from a real KDC or from a fake KDC that
someone put on the same network.  This only matters in cases where someone
might be trying to log on to the client system with fake Kerberos
credentials, and doesn't really matter if you're logging on to the system
with local credentials and then getting Kerberos credentials later.

(This is mostly relevant for work computers that use central Kerberos to
authenticate all access, computer labs that have multiple users, and
similar sorts of cases.)

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>