Hi, ----- "Dros Adamson" <Weston.Adamson@xxxxxxxxxx> wrote: > On Sep 4, 2013, at 12:29 PM, Matt W. Benjamin <matt@xxxxxxxxxxxx> > wrote: > > > Hi > > > > It honestly feels quite odd to me for sec=sys to actually connote > krb5i. > > I should point out that my patches don't introduce the use of krb5i > here, they just fix it. Ack. > > I personally don't think it's weird for the client to use a *more* > secure flavor for certain (infrequent) operations when it makes sense. > What worries me that currently sec=krb5p can cross a SECINFO boundary > and suddenly be using sec=sys! I think the behavior is obviously reasonable, but giving that policy a different name would allow sec=sys to continue mean what it says. > > I'm testing patches that fix that now and also allow multiple sec= > options (in the same form as nfsd exports, i.e. sec=krb5:krb5i, but > I'm trying to fix all the recent regressions surrounding auth flavors > / SECINFO first... That sounds great. > > -dros > > > Thanks, Matt -- Matt Benjamin The Linux Box 206 South Fifth Ave. Suite 150 Ann Arbor, MI 48104 http://linuxbox.com tel. 734-761-4689 fax. 734-769-8938 cel. 734-216-5309 -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
