Hello, sorry for my late entry to the discussion on kerberos. It's really good that you're working on it.
I wonder, has anybody thought about how to implement Kerberos+NFSv4 on diskless clients? My understanding is that every workstation needs to have a "$hostname/nfs" principal in Kerberos, with a secret key. Every machine which presents a correct principal and key can read the exported filesystem, but to write to it you need to authenticate to kerberos (with a user principal). If any of this is incorrect, please correct me. As the diskless filesystem is (by necessity) available to anyone, putting Kerberos keys for all clients there would be no more secure than NFSv3. One idea is to put the key on a HD or CF card, another is to put the encrypted keys in the chroot and prompt the admin for the password at boot. Of course, both of these suffer from the problem that the server can't be trusted (e.g. a second server on the network serving a filesystem which gathers keys and passwords). John. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
