[36052] in Kerberos
Re: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter
daemon@ATHENA.MIT.EDU (Nico Williams)
Tue Apr 15 16:07:04 2014
MIME-Version: 1.0
In-Reply-To: <534D8D12.6010901@oracle.com>
Date: Tue, 15 Apr 2014 15:06:21 -0500
Message-ID: <CAK3OfOg+xQrw+kvy8eJhyBrr53Mg7u9mdfCyJi_Bg2jtST=_vw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Tomas Kuthan <tomas.kuthan@oracle.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Apr 15, 2014 at 2:48 PM, Tomas Kuthan <tomas.kuthan@oracle.com> wrote:
> On 04/15/14 21:16, Nico Williams wrote:
>> That said, it's best practice to key all devices. Still, nothing in
>> NFSv4 requires such keys to be named in host-based ways.
>
> Makes sense ... but still, basing on host is a nifty way of constructing
> unique principal name. Is there a meaningful alternative for mobile devices?
But it isn't nifty. You quickly run into the issue that the hostname
has to have a record in whatever manages your DNS zones, else someone
might use that hostname and now some device has keys for its
principal.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
