I can't agree. Long run jobs and desktop session are two different cases. When user leaves at the of the day his desk and leave its session open, it seems normal that the filesystem, without revalidation becomes unavailable, like it always use to be. Once unavailable, it can't be used be an attacker who gains root access and, through sudo gains user fs access. When the user get back to his desk, he revalidates his ticket and things goes on. Having an automatic ticket renewal discards any advantages of using nfsv4+kerberos (why don't simply use nfsv3 and his, no ticket to renew, no FS availability issue …).
Long runs jobs is another case in which user must access the FS over long period and should'nt be handled in the same way. It can be done as you describe or through nfsv3 on a dedicated node where security is much more drastic. As i already said, a mainstream patch has been proposed to handle this : http://www.spinics.net/lists/linux-nfs/msg31257.html . Bests Le 2 juil. 2012 à 19:13, Dominic Gross a écrit : > Automatically renewing the ticket is not a security breach. Since it can > be done without storing passwords I don't see why it should be unsafe. > IMHO it currently is the only reasonably safe way to keep NFS home > directories accessible for long running jobs (e.g. if you have to run a > simulation overnight) and unattended GUI applications. If the user is > not around the screen should be locked anyway. It is certainly much > safer than just extending the expiration date of the ticket. -- Christophe Ségui Responsable informatique Institut de Mathématiques de Toulouse Université de Toulouse - CNRS 118 Route de Narbonne 31062 Toulouse Cedex 09 Tel : (+33) 5 61 55 63 78 [email protected] http://www.math.univ-toulouse.fr -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/794112 Title: Kerberos + LDAP + NFSv4 on Natty - Unable to recover unattended client To manage notifications about this bug go to: https://bugs.launchpad.net/kerberos/+bug/794112/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
