On Fri, Aug 19, 2011 at 12:10:34PM +1000, paul.szabo@xxxxxxxxxxxxx wrote: > > If you are using kerberos authentication then you should be able > > to trust that any remote user really is who they say they are ... > > Does that "work" also against the "evil remote root" e.g. when the > remote machine is compromised? It does what's possible. If a user gives their credentials to the compromised client--well, what can you do, the attacker has their credentials at that point. So if everyone in your department logs into the same client, then root on that client is going to be able to impersonate any of them. Nothing you can do about that. On the other hand, if several people each have their own client and only log in to their own clients, and if one of the clients is compromised, then that client isn't going to be able to impersonate users that have never given it any credentials. > > If you are using NFSv4 and kerberos than there already exist > > interfaces to do what you want. See "man idmap.conf". ... > > Sorry I do not use NFSv4 or kerberos, yet. Could you please point me > to references about idmap.conf, the ones I found suggest it only takes > [Mapping] settings for Nobody-User and Nobody-Group. Look for "static" in a recent version of the idmapd.conf man page. --b. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html