Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

1 + 1 = 3, for large values of 1.

devel / comp.protocols.kerberos / Re: About the purpose of client host principals for NFS

SubjectAuthor
o Re: About the purpose of client host principals for NFSRuss Allbery

1
Re: About the purpose of client host principals for NFS

<mailman.5.1696709744.2263420.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=381&group=comp.protocols.kerberos#381

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: eag...@eyrie.org (Russ Allbery)
Newsgroups: comp.protocols.kerberos
Subject: Re: About the purpose of client host principals for NFS
Date: Sat, 07 Oct 2023 13:15:32 -0700
Organization: The Eyrie
Lines: 30
Message-ID: <mailman.5.1696709744.2263420.kerberos@mit.edu>
References: <2245400.ev0DxJNslZ@invader>
<87r0m6ur2z.fsf@hope.eyrie.org>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="26473"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Gnus/5.13 (Gnus v5.13)
To: Marco Rebhan via Kerberos <kerberos@mit.edu>
Authentication-Results: mit.edu;
dmarc=none (p=none dis=none) header.from=eyrie.org
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.16
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1696709742; cv=pass;
b=n7DPhKzcuQsI405VZs9CxS5+jPxAlG63K+ZNQJ+hZOCp0xBLDsJ6R7B5eWwiE+MMRI9r9bGI3H7TcwiI8AjpdR36mWaiWDwkHrcxlOlSMcoRtjI5iFJ/XkoukYB0Nsi3DqEPz2RuXt9qqNa/+xBvDz5YbbhOS9aQO7eOzrEniWDS2G21rm91xpVUiZuCmnOZ2OpETpXfrNIKDAJa5jzQGwZQzb2NDNTMl8E6ZU8RfTW/sbFgQiGjQqAQdJtpE6ew3O/jVMzpRf38yIWoNkYAf8wDxIKtMxUgV9uJ0h6hUjikAY13AIVn2cCOvImhTkP46rOhKEdwdw/furedRPUqFQ==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1696709742;
c=relaxed/relaxed; bh=3XF0uMLwVb1pUcvcJpTbyHp5hwaj2x06/qkooa8ewnU=;
h=From:Subject:Date:Message-ID:MIME-Version:Content-Type;
b=ZLWLVI9z6QtYVOy8egt4y1Nlu1w1fMtnrbu9mAR/FZAlFOY8JEbkQkw+NW69bwQ9y1yYabFp+PVLoqNwXuKbL0mdfbPuvKg4AiGWr7tfBbzL6J4QCmIWuIQJno0dK0qVQRtCnhWTpYZQ2NAzhUu+rrvqdnXPgfkr73erfiBssFrkWdPIhLq+mrCyn7h1VkV2JvArk7y0G0OXapkcltDATcbHvg8gpDxcTgViKTL8gqeXWgHH4iWXzTlc1UWEZ8fKdJOg28eqMqT86lQ1Wda1vw4bduFcYaEYkRRrRtwXe5OzV3iFJsxddw4BBmi7YUWJawnMx4vU/qJrmvXi91D38g==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=uCXt7UJy
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=uCXt7UJy
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=UMeL2ksASJip/2V+TTqW5ePpzaJomYEQ+irEX4E7ImfDEUaBMplWmxN9rH1vPKJbmaxPNFKZDNEkHxExFknz6U8idPzJWBYRwyLHOotorMvOpc6prOV+H0ScM0c/h88Nqhu+v+SwCU2HeOtEixzddz9iJSvxB5YxlLEHfiRQzIpXA9JAV7AH26OrNHjmJUysMO0ka4gmcpdNvTeBOUfQOT1RHW1YAe5L8tdfDOAMb1ZDnSd5xWeQ1Ke6xHkv/XnJud8I5eSdLI3SyufQ2UkaSDgSSjGHorCJIlry3GEkibDsVo5HyF51nvmlYIHa6pex1G8YPU5dnD2DVLcgV4UxhA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=3XF0uMLwVb1pUcvcJpTbyHp5hwaj2x06/qkooa8ewnU=;
b=AiNiYWK1PMSJPeEZvK4MfvY5xZnrh10AHZki3pw9tChnDcBscn5dY6B4RFT/Io0OFVLmsHHEp3pTeK/xsTjf2h7gYKvYTyk7PtIyuQwanb/tut6iZ8g5Ps6BUP66qLw+J0qI7XvrJW6M+A42Cb9ObHeVpnPD++vEWy5Q/4KRexfRsP0/pxnT6j94lNeB6k/fu6Hlfk8pGAm84wqqxqxRD7TA3WLNFihcNbJm/C6RkRwbcC3j60dSy8M7X5YUpnteSsEyjLOVqwIwMRtudkG70Ie5QEHS2gOY5FWJ0d1onbtLlyKNFQD9t9Q6L2fGxY0osipjAY3XoleXy9AuJ+4Tww==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
166.84.7.159) smtp.rcpttodomain=mit.edu smtp.mailfrom=eyrie.org;
dmarc=bestguesspass action=none header.from=eyrie.org; dkim=none (message not
signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=3XF0uMLwVb1pUcvcJpTbyHp5hwaj2x06/qkooa8ewnU=;
b=uCXt7UJyKIU7vujT+hMLq4TdRtSABVx+mZFRXa77+biQWmWEB/tG12k7cxSqiueC9j+fZpGtx6Ij70gTmKnw0xtZK/6DtBvTDrFdRcI0AZ4Qwld8X5auhjJaFkhEHA8e7z7Q923AoKzO1nAwshW/L5Kg5qUL65X4xQNCmt1FDGo=
Authentication-Results: spf=pass (sender IP is 166.84.7.159)
smtp.mailfrom=eyrie.org; dkim=none (message not signed)
header.d=none;dmarc=bestguesspass action=none header.from=eyrie.org;
Received-SPF: Pass (protection.outlook.com: domain of eyrie.org designates
166.84.7.159 as permitted sender) receiver=protection.outlook.com;
client-ip=166.84.7.159; helo=haven.eyrie.org; pr=C
In-Reply-To: <2245400.ev0DxJNslZ@invader> (Marco Rebhan via Kerberos's message
of "Sat, 07 Oct 2023 21:21:23 +0200")
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CY4PEPF0000E9D2:EE_|PH0PR01MB6440:EE_
X-MS-Office365-Filtering-Correlation-Id: 08620826-57a8-4b79-2221-08dbc7722aae
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: TYaOqAD8+0VphN60tcB5w6HzjhSfzEDgL0L4S4IcdU5uB7JUKBuosPOSGyNNCLdHz4zccZV/7cVNXNfbKjt1dZm/SvYPg6cp6FVBokTePfDuc0Ljc+rRrJbbo9yRBB8mbE6eCLIrPkIxMO56VGh0vYP8YCZ2UasufWxYkq8CP5iGrJfIbayPZab5PX+oBjzJcIx1uywV4v+kczbsVvLvc4ylMXHSPQ/nlEMqV4U/BmqJ36SA+9U/kdgqAtLrHEnit+dlKcOyQFuHLDFU7n5zqtICa052MH6erjffvhFcdRszumoYRWvPvYQe1x5Th/XZNB5kndhHAs4DCtJrfyII3YKtvnlEYROU7d1uKZfHbZxohGzl7Bdxb0DAlzUWGqw9XpDpRtpzSllr7UOzITJVMVg0yk9idOnw7AnfiogwUPQkhsSBVZ8ZWeXf8LD0Fd53ujhM4LKTMRjT5P+IXVfLEAh7rXuL8yBTMjoZIUEidm9OmXT9+vSQ/MZF0LTObJRrJY31HYifSfgL0RCbPnHSvqI9JX+XMU5i2AuBdfY6xdOZR3Z7hAJsrrQySofViqq68KGhiwR9mxap8vKRapsS2Kac/Rn5eeAG2vIAp+B843xRvi8YUCHhVmPsDjChZ7osSbUEk68LoReCBhhZgjgRDkcYPA1Fpyk0Mk+AM7O1pYBHTHwfbQOUjIRklBc82dY5
X-Forefront-Antispam-Report: CIP:166.84.7.159; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:haven.eyrie.org; PTR:haven.eyrie.org; CAT:NONE;
SFS:(13230031)(4636009)(39860400002)(136003)(396003)(376002)(346002)(451199024)(61400799006)(48200799006)(64100799003)(86362001)(36916002)(6266002)(426003)(336012)(26005)(5660300002)(8676002)(6862004)(4326008)(83380400001)(107886003)(2906002)(68406010)(70586007)(786003)(316002)(42186006)(498600001)(7636003)(7596003)(356005);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Oct 2023 20:15:35.7592 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 08620826-57a8-4b79-2221-08dbc7722aae
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000E9D2.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB6440
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <87r0m6ur2z.fsf@hope.eyrie.org>
X-Mailman-Original-References: <2245400.ev0DxJNslZ@invader>
 by: Russ Allbery - Sat, 7 Oct 2023 20:15 UTC

Marco Rebhan via Kerberos <kerberos@mit.edu> writes:

> What purpose does the host principal for clients serve here? I assumed
> it would be either used to authenticate hosts before they're allowed to
> obtain a TGT, or authenticate for mounting NFS shares, but clearly
> that's not the case since it works without. Is it only used so that the
> network share can be mounted without a user TGT?

Yup, pretty much. There is indeed no need to key clients if you're going
to obtain credentials after login with something like kinit and you don't
care about more sophisticated Kerberos network protection features like
FAST.

The other reason to key a client is so that it can verify that the
password that you enter is indeed a valid Kerberos credential so that you
can use Kerberos to control access to the system itself. If the system
doesn't have any keys (and you don't have something like anonymous PKINIT
available), then the client computer can't tell the difference between
getting Kerberos credentials from a real KDC or from a fake KDC that
someone put on the same network. This only matters in cases where someone
might be trying to log on to the client system with fake Kerberos
credentials, and doesn't really matter if you're logging on to the system
with local credentials and then getting Kerberos credentials later.

(This is mostly relevant for work computers that use central Kerberos to
authenticate all access, computer labs that have multiple users, and
similar sorts of cases.)

--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor