On Sep 5, 2013, at 8:50 AM, Matt W. Benjamin <matt@xxxxxxxxxxxx> wrote: > Hi, > > ----- "Dros Adamson" <Weston.Adamson@xxxxxxxxxx> wrote: > >> On Sep 4, 2013, at 12:29 PM, Matt W. Benjamin <matt@xxxxxxxxxxxx> >> wrote: >> >>> Hi >>> >>> It honestly feels quite odd to me for sec=sys to actually connote >> krb5i. >> >> I should point out that my patches don't introduce the use of krb5i >> here, they just fix it. > > Ack. > >> >> I personally don't think it's weird for the client to use a *more* >> secure flavor for certain (infrequent) operations when it makes sense. >> What worries me that currently sec=krb5p can cross a SECINFO boundary >> and suddenly be using sec=sys! > > I think the behavior is obviously reasonable, but giving that policy a > different name would allow sec=sys to continue mean what it says. > I think there is definitely room for discussion on how sec= behavior has changed and how this will affect users, especially when I add the patches mentioned below. -dros >> >> I'm testing patches that fix that now and also allow multiple sec= >> options (in the same form as nfsd exports, i.e. sec=krb5:krb5i, but >> I'm trying to fix all the recent regressions surrounding auth flavors >> / SECINFO first... > > That sounds great. > >> >> -dros >> >>> > > Thanks, > > Matt > > -- > Matt Benjamin > The Linux Box > 206 South Fifth Ave. Suite 150 > Ann Arbor, MI 48104 > > http://linuxbox.com > > tel. 734-761-4689 > fax. 734-769-8938 > cel. 734-216-5309 -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
