Re: [nfsv4] NFSv4 Persistent Mounts and Authentication
Benjamin Kaduk <kaduk@mit.edu> Wed, 21 June 2017 00:00 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38BD6129544 for <nfsv4@ietfa.amsl.com>; Tue, 20 Jun 2017 17:00:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XePa7TfbeZvR for <nfsv4@ietfa.amsl.com>; Tue, 20 Jun 2017 17:00:08 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64CB7129541 for <nfsv4@ietf.org>; Tue, 20 Jun 2017 17:00:08 -0700 (PDT)
X-AuditID: 1209190f-a0bff70000003627-7c-5949b70677fb
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id 20.A7.13863.607B9495; Tue, 20 Jun 2017 20:00:07 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v5L0054w004252; Tue, 20 Jun 2017 20:00:05 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v5L001nl009348 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 20 Jun 2017 20:00:04 -0400
Date: Tue, 20 Jun 2017 19:00:01 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Lesley Kimmel <lesley.j.kimmel@gmail.com>
Cc: nfsv4@ietf.org
Message-ID: <20170621000001.GD39245@kduck.kaduk.org>
References: <CAAQu=7QqQFokuuMWAbfw9x2jq2GeoqMpHAV4kJLQoUUjw1QPAA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAAQu=7QqQFokuuMWAbfw9x2jq2GeoqMpHAV4kJLQoUUjw1QPAA@mail.gmail.com>
User-Agent: Mutt/1.7.1 (2016-10-04)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrOIsWRmVeSWpSXmKPExsUixG6nosu+3TPSYH6NxaXLn5ktZr9/xOrA 5LFz1l12jyVLfjIFMEVx2aSk5mSWpRbp2yVwZTS+m8BY8Jy34snxDYwNjPO5uxg5OSQETCRe rp3E2sXIxSEksJhJ4sHnx8wQzkZGifOXd7FDOFeZJI5M/8sG0sIioCqxc+tFJhCbTUBFoqH7 MlAHB4eIgK7E80uMICazgJDElS/uIKawgL3Eo7klIMW8QLuWvdrCCGILCQRI3Nt/igUiLihx cuYTMJtZQEvixr+XTBBTpCWW/+MACXMKBErcnL8ArERUQFni7+F7LBMYBWYh6Z6FpHsWQvcC RuZVjLIpuVW6uYmZOcWpybrFyYl5ealFuiZ6uZkleqkppZsYQeHJKcm/g3FOg/chRgEORiUe 3ghlz0gh1sSy4srcQ4ySHExKorxrVgOF+JLyUyozEosz4otKc1KLDzFKcDArifDKxQHleFMS K6tSi/JhUtIcLErivOIajRFCAumJJanZqakFqUUwWRkODiUJXtttQI2CRanpqRVpmTklCGkm Dk6Q4TxAw8PngAwvLkjMLc5Mh8ifYlSUEudN2AqUEABJZJTmwfWC0odE9v6aV4ziQK8I86aD VPEAUw9c9yugwUxAg18c8QAZXJKIkJJqYNS6Ub325S1bcw42VmMbsZLYlJBKx/7zXWvE6+X/ TUpaKObfNlVq3d2c9dK/vzRwOj37oHRBIuY5TzCzUpqo+Oyax2U9r5cfsGhJPNf+MddUUEab xVHD8tOemfqvf5dtVWif8EuY63lEe+gdGyVF95/PpS6XLzKvvHbx1Q8O89nT/6z3XiISr8RS nJFoqMVcVJwIACetl/v6AgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/p2UwdYV_oQI0yQzKZemjIuRGui0>
Subject: Re: [nfsv4] NFSv4 Persistent Mounts and Authentication
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jun 2017 00:00:10 -0000
On Tue, Jun 20, 2017 at 07:36:59AM -0500, Lesley Kimmel wrote: > All; > > Forgive me if this question is somewhat incorrect as we are just getting > started with NFSv4. > > It seems that [kerberized] NFSv4 is well suited for things like home > directories that can be authenticated and mounted when a user accesses the > system. However, we are considering a few issues and are wondering what the > recommended configuration is: > > 1) Users execute a long running job (assume longer than the Kerberos ticket > lifetime) and log out. How can the Kerberos ticket automatically be renewed > so that these types of jobs continue to run? An impromptu option is to use the k5start utility (https://www.eyrie.org/~eagle/software/kstart/k5start.html) to wrap the long-running job, which does involve having k5start store the plaintext user password in memory for the duration of the job or turning the password into a keytab file, neither of which are super-great from asecurity point of view. A somewhat better option is to issue dedicated additional kerberos principals to users running long jobs, perhaps as user/longjobs@REALM or similar. Those new principals can be granted access to write to just the needed portion of secure storage and do not have other privileges granted to the regular user@REALM principals, so there is less risk in leaving the credentials around with the long-running job. > 2) How would CRON jobs executing scripts from an NFS share gain a Kerberos > ticket to be able to perform these actions? Generally the simplest way is to give whatever is running cron its own principal (e.g., host/a.host.running.cron@REALM) and grant the necessary filesystem permissions to that additional principal. -Ben
- [nfsv4] NFSv4 Persistent Mounts and Authentication Lesley Kimmel
- Re: [nfsv4] NFSv4 Persistent Mounts and Authentic… Benjamin Kaduk