[36843] in Kerberos
Re: Switching identity using kinit/kdestroy for NFSv4 mounts
daemon@ATHENA.MIT.EDU (Brandon Allbery)
Fri Mar 13 10:05:37 2015
From: Brandon Allbery <ballbery@sinenomine.net>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Fri, 13 Mar 2015 14:05:15 +0000
Message-ID: <1426255515.11130.3.camel@vikktakkht>
In-Reply-To: <5502EC34.3020004@rz.uni-augsburg.de>
Content-Language: en-US
Content-ID: <A1465B06F4FE6C4794232ABCCA9AEED6@mex05.mlsrvr.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, 2015-03-13 at 14:55 +0100, Robert Wehn wrote:
> There is a bug report/suggested patch which seems to make it possible
> but never seemed to get into the kernel:
> http://www.spinics.net/lists/linux-nfs/msg34236.html
>
> What is your opinion to this behavior?
> Do you think this is reasonable from kerberos point of view, or do you
> also think this needs to be changed?
This isn't Kerberos's fault, but NFS's; it's how it avoids having token
management like AFS uses (extra aklog step to register ticket with
filesystem and unlog to deregister it). Personally, I prefer AFS's way
of dealing with it; the whole business about snooping ticket caches and
caching its own private copy is concerning security-wise and seems like
it would easily become confused.
--
brandon s allbery kf8nh sine nomine associates
allbery.b@gmail.com ballbery@sinenomine.net
unix openafs kerberos infrastructure xmonad http://sinenomine.net
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
