https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234106
--- Comment #3 from Rick Macklem <[email protected]> --- When NFSv4 was being developed, I recall the specification authors clearly stating the "a reserved port# does not provide security and is not to be required for NFSv4 client mounts". I recall this being stated in the RFC, but I wasn't able to find it on a quick search (they are 275->500+ page documents). As such, the code does not require a reserved port# for NFSv4 mounts. (And I agree with the authors that it does not enhance security, since all it tells the server is that the "mounter" is root on the client. I suppose you can argue that there are machines that are "root secure" but with untrusted users that might try and run malicious fake NFSv4 clients on these machines, but...) If you want any sort of security for NFS mounts, you need to use sec=krb5[ip]. There is work now in progress for NFS over TLS, but that isn't implemented yet. (Just an internet draft at this point.) As such, I consider it a feature and not a bug, rick -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "[email protected]"
