2015-01-14 23:18:49

by Ralph Zack

[permalink] [raw]
Subject: Secure NFSv4 mounts and daemons

Hi all,

I have a number of NFSv4 shares which should only be accessible after
successful authentication, for which reason they are exported with
sec=krb5p. However, this method requires the user to obtain a kerberos
ticket to access files on the share, which is fine for regular users but
causes issues for daemons which are not kerberos-aware.

What is the common way to handle this problem? It can hardly be the only
solution to patch each service to obtain a ticket at startup. Please
correct me if I'm wrong, but I could not find any mechanism besides
kerberos that provides encryption and authentication for NFS shares. I'd
be fine with authentication on a host level, I mainly want to ensure
that only trusted machines can accesses these shares and that all
traffic is encrypted. Without the overhead of establishing a VPN
connection between client and server, in case anyone was going to
suggest that ;)

Cheers,

Ralph



2015-01-16 23:17:09

by Anthony Joseph Messina

[permalink] [raw]
Subject: Re: Secure NFSv4 mounts and daemons

On Thursday, January 15, 2015 12:12:01 AM Ralph Zack wrote:
> I have a number of NFSv4 shares which should only be accessible after
> successful authentication, for which reason they are exported with
> sec=krb5p. However, this method requires the user to obtain a kerberos
> ticket to access files on the share, which is fine for regular users but
> causes issues for daemons which are not kerberos-aware.
>
> What is the common way to handle this problem? It can hardly be the only
> solution to patch each service to obtain a ticket at startup. Please
> correct me if I'm wrong, but I could not find any mechanism besides
> kerberos that provides encryption and authentication for NFS shares. I'd
> be fine with authentication on a host level, I mainly want to ensure
> that only trusted machines can accesses these shares and that all
> traffic is encrypted. Without the overhead of establishing a VPN
> connection between client and server, in case anyone was going to
> suggest that

I use GSS-Proxy for this:
https://fedorahosted.org/gss-proxy/

-A

--
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E


Attachments:
signature.asc (181.00 B)
This is a digitally signed message part.

2015-01-16 09:06:56

by Paul van der Vlis

[permalink] [raw]
Subject: Re: Secure NFSv4 mounts and daemons

Hi Ralph,

Op 15-01-15 om 00:12 schreef Ralph Zack:
> Hi all,
>
> I have a number of NFSv4 shares which should only be accessible after
> successful authentication, for which reason they are exported with
> sec=krb5p. However, this method requires the user to obtain a kerberos
> ticket to access files on the share, which is fine for regular users but
> causes issues for daemons which are not kerberos-aware.
>
> What is the common way to handle this problem? It can hardly be the only
> solution to patch each service to obtain a ticket at startup. Please
> correct me if I'm wrong, but I could not find any mechanism besides
> kerberos that provides encryption and authentication for NFS shares. I'd
> be fine with authentication on a host level, I mainly want to ensure
> that only trusted machines can accesses these shares and that all
> traffic is encrypted. Without the overhead of establishing a VPN
> connection between client and server, in case anyone was going to
> suggest that ;)

I've once seen that something like this makes a ticket:
su -c "echo password | kinit user" user
But never used it in reality.

Maybe you can ask this question better in the Kerberos mailinglist.
I think this is not a good solution...

With regards,
Paul van der Vlis





--
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl/


2015-01-16 21:36:24

by Benjamin Coddington

[permalink] [raw]
Subject: Re: Secure NFSv4 mounts and daemons

On Fri, 16 Jan 2015, Paul van der Vlis wrote:

> Hi Ralph,
>
> Op 15-01-15 om 00:12 schreef Ralph Zack:
> > Hi all,
> >
> > I have a number of NFSv4 shares which should only be accessible after
> > successful authentication, for which reason they are exported with
> > sec=krb5p. However, this method requires the user to obtain a kerberos
> > ticket to access files on the share, which is fine for regular users but
> > causes issues for daemons which are not kerberos-aware.
> >
> > What is the common way to handle this problem? It can hardly be the only
> > solution to patch each service to obtain a ticket at startup. Please
> > correct me if I'm wrong, but I could not find any mechanism besides
> > kerberos that provides encryption and authentication for NFS shares. I'd
> > be fine with authentication on a host level, I mainly want to ensure
> > that only trusted machines can accesses these shares and that all
> > traffic is encrypted. Without the overhead of establishing a VPN
> > connection between client and server, in case anyone was going to
> > suggest that ;)
>
> I've once seen that something like this makes a ticket:
> su -c "echo password | kinit user" user
> But never used it in reality.
>
> Maybe you can ask this question better in the Kerberos mailinglist.
> I think this is not a good solution...
>
> With regards,
> Paul van der Vlis

Wow, looks like kinit /will/ read your password from stdin. I had no idea.

I've done this with a keytab and cron job running as the
service's user to keep the credential caches for the service's user fresh.
Kinit should be something like `kinit -kt /keyab/file batch/[email protected]`
Run your jobs more frequently than the ticket expiry time and everything
should be fine.

Ben

2015-01-17 12:27:48

by Ralph Zack

[permalink] [raw]
Subject: Re: Secure NFSv4 mounts and daemons

On 01/16/2015 10:36 PM, Benjamin Coddington wrote:
> Wow, looks like kinit /will/ read your password from stdin. I had no idea.
>
> I've done this with a keytab and cron job running as the
> service's user to keep the credential caches for the service's user fresh.
> Kinit should be something like `kinit -kt /keyab/file batch/[email protected]`
> Run your jobs more frequently than the ticket expiry time and everything
> should be fine.


That is pretty much what I had in mind if there was no better solution.
It just seemed bit hacky to me and I thought there was maybe a more
elegant solution, but I may end up doing it like that.

On 01/17/2015 12:11 AM, Anthony Messina wrote:
> I use GSS-Proxy for this:
> https://fedorahosted.org/gss-proxy/
>

That looks very interesting at first glance, I'll have a closer look at
it. Thanks!

- Ralph