Hello.
Quote from 2006 article:
http://www.ibm.com/developerworks/systems/library/es-nfs-security/index.html#N100AF
In /a few years/, NFS Version 4 implementations will start claiming
support for the public key-based security mechanism (SPKM and LIPKEY).
My question:
1. Is LIPKEY already implemented in some NFS4 implementation?
Particularly, I am interested using it on Debian Linux.
2. I could not manage to find a how-to on using LIPKEY, e.g. where to
store the public key and certificates, where to configure
username/password for client authentication. Is there one existing?
Thanks in advance!
On Mon, 2010-09-27 at 16:35 +0800, Zhang Weiwu wrote:
> Hello.
>
> Quote from 2006 article:
> http://www.ibm.com/developerworks/systems/library/es-nfs-security/index.html#N100AF
>
> In /a few years/, NFS Version 4 implementations will start claiming
> support for the public key-based security mechanism (SPKM and LIPKEY).
>
>
> My question:
>
> 1. Is LIPKEY already implemented in some NFS4 implementation?
> Particularly, I am interested using it on Debian Linux.
> 2. I could not manage to find a how-to on using LIPKEY, e.g. where to
> store the public key and certificates, where to configure
> username/password for client authentication. Is there one existing?
>
> Thanks in advance!
We're likely to drop the requirement that SPKM3/LIPKEY be a mandatory
security mechanism for NFSv4 in the revised RFC3530 (a.k.a. RFC3530bis)
that is being drafted.
The reason is that the SPKM3 mechanism (on which LIPKEY relies) appears
to contain inherent security flaws that are difficult to fix. The IETF
security group have therefore pretty much killed it as an option.
Other alternatives to SPKM3 are being discussed, but I'm not aware of
anything that replaces LIPKEY.
Cheers
Trond
On 2010年09月27日 20:24, Trond Myklebust wrote:
>
> We're likely to drop the requirement that SPKM3/LIPKEY ...
> SPKM3 mechanism (on which LIPKEY relies) appears
> to contain inherent security flaws that are difficult to fix.
Thanks for the clear answer. We have a few setups where an
infrastructure is close to not possible (Kerberos) thus at the moment we
are deciding between switching to samba for username/password
authentication from NFS or uses the long-expected LIPKEY. samba might
have other inherent security flaws but practically security is not a
priority of our concern at the moment. Your information is directly
helpful for making a decision:) thanks!