1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • About the purpose of client host principals for NFS

    From Marco Rebhan@21:1/5 to All on Sat Oct 7 21:21:23 2023
    Hey list,

    I'm currently setting up Kerberos for my home network. The main motivation was to get secure NFS, and as such I've looked at various guides on how to set it up for that. They (for example, the Arch Wiki[1]) pretty much all tell you to create principals for the host and NFS service for both the NFS server and clients that want to connect.

    However, after setting up the NFS server and my Linux PC like this, I tested the whole setup with my MacBook which doesn't have a host principal or any other krb5 configuration yet (it can find the KDC due to DNS), and to my surprise it can both obtain a TGT for my user and afterwards also mount the
    NFS share.

    What purpose does the host principal for clients serve here? I assumed it
    would be either used to authenticate hosts before they're allowed to obtain a TGT, or authenticate for mounting NFS shares, but clearly that's not the case since it works without. Is it only used so that the network share can be mounted without a user TGT?

    Thanks,
    Marco

    [1]: https://wiki.archlinux.org/title/Kerberos#NFS_security
    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCAAdFiEEUuA5X09baU5GfLYxyND744GinTYFAmUhr7MACgkQyND744Gi nTaLEw//b2Ddhi/0UcRTAjQ1vlkJFKJ4uuqGZROFiNOOcGgT5S8eZ5CUr5gDfmrb gxfoLWtMvItfFGIuigVimEIQkf5eeFsEkuCqFLTiyL+rGuEwEZdrxfACH3E/JDQw Z/VHc54pu2HfBqwyMCpei0ykOzB/0qfZGMAAdXhRZ9zkNbN/D3RJ5ZlgpkzAZVwh sOgLhk3YCs9raNrItZXgRKHTKZfB0TAaMrwFyAMEm/EzkeFXBSpeL5l08bT/j6ig 2MuJ8wK4wrdUGGEFgkRx7h5ZfI7NwwgWOuZLlhmvX1dDgqM0xZfredbl4XRoN1ei W1qkTkuve+OiEFgG2A8W1sIIpUUvZbtJew+f5Jb9wUQ7nIqCpi5jSYnqhGdDlupV OZErWy8u9PWv6+D6b3jkWFjLJNLwuzYFFdPdkS6CoxoB1zrAXGSezSOr/Ok7Wfbk rKx31GFE4hfZYTOAi0ucK2GZK8xyaBYNbzVyxHUJ2tu112EhyTLresXusitq0Nn1 qSFVqScbAnmrFPBb2Q4b1to0nOBnohENA0Iof+JmnSq2G1zirEE3DVuC8Ryw8X0z PYu7RMnF+mKfuZv/tF5br/3vQqC6eDP9zBhIb2UGmgX35gE3CWoqNxJbfg/ZN0/O 5O8VavwkV5AQu4B+jQjtXwJoU0vdHXplf/t52w4hH/WbJw2OY5E=
    =5G/h
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Russ Allbery@21:1/5 to Marco Rebhan via Kerberos on Sat Oct 7 13:15:32 2023
    Marco Rebhan via Kerberos <[email protected]> writes:

    What purpose does the host principal for clients serve here? I assumed
    it would be either used to authenticate hosts before they're allowed to obtain a TGT, or authenticate for mounting NFS shares, but clearly
    that's not the case since it works without. Is it only used so that the network share can be mounted without a user TGT?

    Yup, pretty much. There is indeed no need to key clients if you're going
    to obtain credentials after login with something like kinit and you don't
    care about more sophisticated Kerberos network protection features like
    FAST.

    The other reason to key a client is so that it can verify that the
    password that you enter is indeed a valid Kerberos credential so that you
    can use Kerberos to control access to the system itself. If the system
    doesn't have any keys (and you don't have something like anonymous PKINIT available), then the client computer can't tell the difference between
    getting Kerberos credentials from a real KDC or from a fake KDC that
    someone put on the same network. This only matters in cases where someone might be trying to log on to the client system with fake Kerberos
    credentials, and doesn't really matter if you're logging on to the system
    with local credentials and then getting Kerberos credentials later.

    (This is mostly relevant for work computers that use central Kerberos to authenticate all access, computer labs that have multiple users, and
    similar sorts of cases.)

    --
    Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Rebhan@21:1/5 to All on Sun Oct 8 03:03:09 2023
    Copy: [email protected] (Russ Allbery)

    On Saturday, 7 October 2023 22:15:32 CEST Russ Allbery wrote:
    [..]

    That clears up a lot, thank you so much!

    -Marco

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCAAdFiEEUuA5X09baU5GfLYxyND744GinTYFAmUh/80ACgkQyND744Gi nTZxbA//RD21z7VPRc2kLcPQnq4vCN4ogx6X0rJbSI+OhDYeDHmZJbi+di2SO4Mc 6/qN8CpyMqOhJDJG7xDAi1sABjX9dgKIUwJWVQeVp86YlfkPnpfYmuR8hr1/ihk7 ad3Naf23JweGwH+Y+bgbchEt/k8x8kVTKD90907gSFJ3J6C3KdQAuqhzbVDF2/FG PUJv4ij22OVMoKctbFzUafUB3q9q0ngrToFDsBjsBbDGo2KIHbIeMehIV485Y00A LX4irc6MsqVABXE+Aj5nPD3dIHk5hs4uvECKw+MH3Ygueg2VnTUZ+0NH7bMjazWS KQhFRPl4VKvR7T0IWGRJdttjZdtbn+ymqlH3R4MKL/dMwiAqocFbcnvSyhgXAxAC q3gt/ALtW7ZQYY/7ZCPHFm2LhLZw0Irjx8Ole58DD015GPwGkeidrjuKdju+GIqm PwzHP/0nbRAI2EaYIoy/w7KiHdPaOm0Q4biJTmCQ3h7asSrF0CS/TNdaB1OKGDVu FSn+Jbe7wYpijPmfLroh3onpkSKptz363BsnMHRtf7MnvnC3rr8XYLPcvQAWNyK9 iYXDDbGsz1jnYKsyp1XB3aFqJcGpWFptsX3zSUnWOUCgR3VkzCkuYy4kgGrbkZ4u 6pIkwrg38hUqFyfIF4W2GhKRncSYbr4qgcji1xbh3fjjpkXiSjA=
    =d2pv
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simo Sorce@21:1/5 to Marco Rebhan on Mon Oct 9 10:28:45 2023
    To: [email protected]

    On Sun, 2023-10-08 at 03:03 +0200, Marco Rebhan via Kerberos wrote:
    On Saturday, 7 October 2023 22:15:32 CEST Russ Allbery wrote:
    [..]

    That clears up a lot, thank you so much!

    Keying clients is useful to allow mount at boot time, before any user
    with valid credentials has logged in, as well as for NFS 4.0 only (doe
    snot apply to earlier protocol version nor to 4.1 and later) to do some callback calls to the server where the protocol does not know what user
    to use.

    It is not strictly needed, if you use autofs for homes for example you
    can live w/o a client service principal.

    HTH,
    Simo.

    --
    Simo Sorce,
    DE @ RHEL Crypto Team,
    Red Hat, Inc

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)