[36849] in Kerberos
Re: Switching identity using kinit/kdestroy for NFSv4 mounts doesn't
daemon@ATHENA.MIT.EDU (Robert Wehn)
Mon Mar 16 05:33:40 2015
Message-ID: <5506A35E.3070305@rz.uni-augsburg.de>
Date: Mon, 16 Mar 2015 10:33:18 +0100
From: Robert Wehn <robert.wehn@rz.uni-augsburg.de>
MIME-Version: 1.0
To: Simo Sorce <simo@redhat.com>, Brandon Allbery <ballbery@sinenomine.net>,
Benjamin Kaduk <kaduk@mit.edu>, "kerberos@mit.edu" <kerberos@mit.edu>
In-Reply-To: <1426263896.2981.45.camel@willson.usersys.redhat.com>
Cc: CFS Team <cfs@rz.uni-augsburg.de>
Content-Type: text/plain; charset="windows-1252"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello *
@Brandon, Ben:
On 13.03.2015, 15:05 Brandon Allbery wrote:
> ... the whole business about snooping ticket caches and caching its
> own private copy is concerning security-wise and seems like it
> would easily become confused.
On 13.03.2015, 16:53 Benjamin Kaduk wrote:
> See Brandon's response as well, but from a security perspective,
> the kernel NFS implementation is wrong to cache things for so
> long, especially without providing a way to invalidate a cached
> entry.
It's nice to hear that we're not the only ones thinking this is not
such a good idea.
@Simo
On 13.03.2015 at 17:24 Simo Sorce wrote:
> Note that NFS does not cache a ticket, it simply does not destroy
> the GSS Session after it has been created.
didn't get this detail from our test
> An interface to allow to destroy the NFS's user session on kdestroy
> has been discussed with NFS upstream before but it hasn't gone
> anywhere yet.
Do you refer to these discussions or is there something else we missed?
http://thread.gmane.org/gmane.linux.nfs/46234
https://fedorahosted.org/gss-proxy/ticket/1
It looks like the Problem is well known and there have been ideas to
solve that which never got into the Kernel:
http://www.spinics.net/lists/linux-nfs/msg34236.html
http://www.citi.umich.edu/projects/asci/icsi-alpha/nfs-utils-patches/1.0.10-asci-2/nfs-utils-1.0.10-asci-017-add_nfslogin.dif
Has one of you an idea how the situation can be pushed to the right
direction?
Our Canonical Support Contact created a bug here
https://bugzilla.kernel.org/show_bug.cgi?id=93891
and maybe commenting that from the Kerberos community may help ...
Robert.
- --
Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)
iQEcBAEBAgAGBQJVBqNeAAoJEP/Qkk76z7S5xGgH/18BYSkZG6pma77d1jrCPIik
o1IUb8ROQ/YHK4PQ3XRNI+spALzUQT+KECBsBCbw5VRi2DVcvQrKta26DdzVRo1q
10oljma4sFDVPURXmBafVbT5IIE9LZ1XkKsyNrzgFN/g7ATikcnxhADJIenG3ICp
Rj0hjmZw4leSftK4IrsN28bZjKarB61EOvmCF+9M90bmoqt4R/Bpvq63ZDYIneAR
oMS/iq4EAZHcv35kWwN65Dh1Qxb5ywedwBf/CxG06DNX9J3VGcNDe+f9E4vMQDAP
tDb8HpitstTcva0OaJYpYxr1FJ48OVRlZZdCoxfaJVgaV0Nd0PGHTQrrFnPaOlU=
=gv2z
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
