From: J. Bruce Fields (bfields@fieldses.org)
Date: 10/29/03-06:25:53 PM Z
Subject: Re: [nfsv4] AUTH_GSS for Callbacks Message-ID: <20031030002553.GE2404@fieldses.org> From: "J. Bruce Fields" <bfields@fieldses.org> Date: Wed, 29 Oct 2003 19:25:53 -0500 On Wed, Oct 29, 2003 at 06:18:46PM -0500, wurzl, mario wrote: > This implies that a system administrator will have to generate keys for a > service 'root@client' and store it in the Kerberos keytab of all client > systems. I have a hard time imagining a system administrator doing this > process for a network with several thousand clients. It's going to be difficult to make the clients as secure as they should be without one. Any unique principal should suffice for the client, since the server probably doesn't care in practice who the client is (usually it will only matter that the client can identify the server.) So why not just have a cgi script (or whatever) that hands out tickets for principals of the form "anonymous-host/38456@MYREALM" to whoever asks for one? As long as it never hands out the same key twice, and as long as the keys are transmitted securely, I don't see any risk. --Bruce Fields _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www1.ietf.org/mailman/listinfo/nfsv4
This archive was generated by hypermail 2.1.2 : 03/04/05-02:12:51 AM Z CST