1. Forum
  2. USENET
  3. comp.protocols.kerberos

  • Re: About the purpose of client host principals for NFS

    From Russ Allbery@eagle@eyrie.org to Marco Rebhan via Kerberos on Sat Oct 7 13:15:32 2023
    From Newsgroup: comp.protocols.kerberos

    Marco Rebhan via Kerberos <kerberos@mit.edu> writes:

    What purpose does the host principal for clients serve here? I assumed
    it would be either used to authenticate hosts before they're allowed to obtain a TGT, or authenticate for mounting NFS shares, but clearly
    that's not the case since it works without. Is it only used so that the network share can be mounted without a user TGT?

    Yup, pretty much. There is indeed no need to key clients if you're going
    to obtain credentials after login with something like kinit and you don't
    care about more sophisticated Kerberos network protection features like
    FAST.

    The other reason to key a client is so that it can verify that the
    password that you enter is indeed a valid Kerberos credential so that you
    can use Kerberos to control access to the system itself. If the system
    doesn't have any keys (and you don't have something like anonymous PKINIT available), then the client computer can't tell the difference between
    getting Kerberos credentials from a real KDC or from a fake KDC that
    someone put on the same network. This only matters in cases where someone might be trying to log on to the client system with fake Kerberos
    credentials, and doesn't really matter if you're logging on to the system
    with local credentials and then getting Kerberos credentials later.

    (This is mostly relevant for work computers that use central Kerberos to authenticate all access, computer labs that have multiple users, and
    similar sorts of cases.)
    --
    Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Simo Sorce@simo@redhat.com to Marco Rebhan on Mon Oct 9 10:28:45 2023
    From Newsgroup: comp.protocols.kerberos

    On Sun, 2023-10-08 at 03:03 +0200, Marco Rebhan via Kerberos wrote:
    On Saturday, 7 October 2023 22:15:32 CEST Russ Allbery wrote:
    [..]

    That clears up a lot, thank you so much!

    Keying clients is useful to allow mount at boot time, before any user
    with valid credentials has logged in, as well as for NFS 4.0 only (doe
    snot apply to earlier protocol version nor to 4.1 and later) to do some callback calls to the server where the protocol does not know what user
    to use.

    It is not strictly needed, if you use autofs for homes for example you
    can live w/o a client service principal.

    HTH,
    Simo.
    --
    Simo Sorce,
    DE @ RHEL Crypto Team,
    Red Hat, Inc





    --- Synchronet 3.21d-Linux NewsLink 1.2