Re: NFS4 and Kerberos

To: debian-edu@lists.debian.org
Subject: Re: NFS4 and Kerberos
From: Jonas Smedegaard <dr@jones.dk>
Date: Mon, 10 Jan 2011 13:28:36 +0100
Message-id: <[🔎] 20110110122836.GF6978@jones.dk>
Reply-to: debian-edu@lists.debian.org
In-reply-to: <[🔎] 20110108003116.47454bjxlsbb1q9w@mail.das-netzwerkteam.de>
References: <[🔎] 20110105175842.GA4276@flashgordon> <[🔎] 20110105181024.GA24784@login1.uio.no> <[🔎] 20110106021653.63432xwz912v5g5h@mail.das-netzwerkteam.de> <[🔎] 20110106111235.GA3175@flashgordon> <[🔎] 20110106221312.81602s4ugdxq6ico@mail.das-netzwerkteam.de> <[🔎] 20110107094141.GA7005@flashgordon> <[🔎] 20110108003116.47454bjxlsbb1q9w@mail.das-netzwerkteam.de>

On Sat, Jan 08, 2011 at 12:31:16AM +0100, Mike Gabriel wrote:

Hi Andi,

On Fr 07 Jan 2011 10:41:41 CET "Andreas B. Mundt" wrote:
Take a look at<URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/cf/cf.homes>,i.e. our exports file. If a machine want's to mount the homedirectories, it first has to be added to a netgroup that allowsmounting the share. So if you walk into the school with your Laptop tofake an identity on the net, it will not work the first time, becauseyour MAC address will be differerent from the machines in the netgroupyou need the membership of. The next day you walk into school you willbe better prepared, you modified the Laptop's MAC. Now, just plug offthe machine you got the MAC from and use your Laptop instead with thenice user ID. I guess that's how current security is thought to be.
This setup is not really secure. If you have access to one of theschool computers (Skolelinux clients) you boot it, use ifconfig andlook up its IP. Then you shut the Skolelinux client down, take over itsIP (static IP, not DHCP) and then you can mount the NFS share(s) ontjener.

Inspired by your recent comment, Mike, on appreciating historicalreasonings, I can shed some light on the above:

Historically (i.e. 2003-2004 timeframe at least[1][2]) Skolelinux thinclients was assumed to be served in a non-hostile environment.

You might find interest in (re)reading that old discussion, which alsotouches Kerberos (although only briefly - I had and still have toolittle experience in that area).

My interest in raising it here is not fingerpointing but potential forenlightenment.

If anyone non-scandinavian are curious about the first (heated)discussion then tell me what kind of details you are interested in and Ishall try to summarize in english.



Kind regards,

 - Jonas

Very very happy to follow this current effort on integrating Kerberos!

[1]https://init.linpro.no/pipermail/skolelinux.no/linuxiskolen/2003-April/009981.html


[2] http://lists.debian.org/msgid-search/404D0BEE.5010106@jones.dk

--
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- NFS4 and Kerberos: A-records for same IP inflate the need for service principals
  - From: "Andreas B. Mundt" <andi.mundt@web.de>
- Re: NFS4 and Kerberos: A-records for same IP inflate the need for service principals
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: NFS4 and Kerberos: A-records for same IP inflate the need for service principals
  - From: Mike Gabriel <m.gabriel@das-netzwerkteam.de>
- Re: NFS4 and Kerberos: A-records for same IP inflate the need for service principals
  - From: "Andreas B. Mundt" <andi.mundt@web.de>
- Re: NFS4 and Kerberos
  - From: Mike Gabriel <m.gabriel@das-netzwerkteam.de>
- Re: NFS4 and Kerberos
  - From: "Andreas B. Mundt" <andi.mundt@web.de>
- Re: NFS4 and Kerberos
  - From: Mike Gabriel <m.gabriel@das-netzwerkteam.de>

Prev by Date: Re: DNS broken (was: NFS4 and Kerberos: A-records for same IP inflate the need for service principals)
Next by Date: Re: DNS broken
Previous by thread: Re: NFS4 and Kerberos
Next by thread: DNS broken (was: NFS4 and Kerberos: A-records for same IP inflate the need for service principals)
Index(es):
- Date
- Thread