Originally posted by Chugworth
View Post
Originally posted by Chugworth
View Post
Next is use the cross platform Kerberos NFS option.
To use Kerberos NFS in decent sane way you need gssproxy this can encrypted identify as one option or complete encrypted the traffic as another..
Might come clear reading above. The reality is Kerberos NFS 4 the one that support full encrypted and lot more identification is an Kerberos application that used gssproxy for the Kerberos tasks.
Then you have a lot of older legacy systems that don't support NFS TLS or NFS Kerberos at all and most of those have older worse performing protocol options with security that no longer works any how. So you have to do elvis solution.
Yes the reality is NFS does not implement encryption itself instead it off load to some party being either gssproxy(for Kerberos) or inkernel TLS.
The NFS documentation is very short or encryption and security because simple NFS protocol does not implement encryption heck barely does user identification instead these are offloaded to software that provides TLS and Kerberos support.
Yes setting up NFS to use gssproxy you only need a few fine steps. Setting up detailed Kerberos configuration for NFS is setting up Kerberos server that kind of out side NFS then setting up all the fine settings that is all gssproxy items that is the same for gssproxy Kerberos applications. See very quickly this stops being NFS.
Chugworth NFS has always been developed with do not reinvent the wheel model leading to you want to do X you need to get to know how to configure applications that are not NFS because NFS implementation will have offloaded the feature.
The most common reason why NFSv3 or NFSv4 is used without encryption is performance. Yes NFSv4 does not always perform better than NFSv3 this is because NFSv4 does have better locking so yes you can gain performance using NFSv3 with high risk of messed up data.
The most common use encrypted form of NFS is the Kerberos form because it cross platform and you don't end up having issues with the in kernel TLS. Yes issue with in kernel TLS is if other applicaitons also need to be using it. gssproxy was designed from the ground up that you would have multi different Kerberos applications running at the same time..
Leave a comment: