On Tue, 8 Apr 2014 10:39:04 -0700 "Frank Filz" <ffilzlnx@xxxxxxxxxxxxxx> wrote: > > > If you mount by IP do you really care about krb5 ? Probably not, maybe > > > that's a clue we should not even try ... > > > > > > > It's certainly possible that someone passes in an IP address but then says > "-o > > sec=krb5". It has worked in the past, so it's hard to know whether and how > > many people actually depend on it. > > Mount by ip is sometimes used with clustered servers, especially when they > have all their IP addresses in the DNS record. Even using a FQDN that just > specifies that one IP address probably won't work then (since it probably is > NOT the hostname used in the server credential). > > Frank > Well even if it works today, using IP addresses with krb5 requires a bit of cognitive dissonance. krb5 is set up to use hostnames, so if you don't provide them you end up using what DNS gives you. That effectively leaves you only as secure as your DNS resolution is. Simo's blog post outlines the potential danger of that approach. -- Jeff Layton <jlayton@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
