-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello *
@Brandon, Ben: On 13.03.2015, 15:05 Brandon Allbery wrote: > ... the whole business about snooping ticket caches and caching its > own private copy is concerning security-wise and seems like it > would easily become confused. On 13.03.2015, 16:53 Benjamin Kaduk wrote: > See Brandon's response as well, but from a security perspective, > the kernel NFS implementation is wrong to cache things for so > long, especially without providing a way to invalidate a cached > entry. It's nice to hear that we're not the only ones thinking this is not such a good idea. @Simo On 13.03.2015 at 17:24 Simo Sorce wrote: > Note that NFS does not cache a ticket, it simply does not destroy > the GSS Session after it has been created. didn't get this detail from our test > An interface to allow to destroy the NFS's user session on kdestroy > has been discussed with NFS upstream before but it hasn't gone > anywhere yet. Do you refer to these discussions or is there something else we missed? http://thread.gmane.org/gmane.linux.nfs/46234 https://fedorahosted.org/gss-proxy/ticket/1 It looks like the Problem is well known and there have been ideas to solve that which never got into the Kernel: http://www.spinics.net/lists/linux-nfs/msg34236.html http://www.citi.umich.edu/projects/asci/icsi-alpha/nfs-utils-patches/1.0.10-asci-2/nfs-utils-1.0.10-asci-017-add_nfslogin.dif Has one of you an idea how the situation can be pushed to the right direction? Our Canonical Support Contact created a bug here https://bugzilla.kernel.org/show_bug.cgi?id=93891 and maybe commenting that from the Kerberos community may help ... Robert. - -- Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047 86135 Augsburg .................................. Fax. (0821) 598-2028 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (MingW32) iQEcBAEBAgAGBQJVBqNeAAoJEP/Qkk76z7S5xGgH/18BYSkZG6pma77d1jrCPIik o1IUb8ROQ/YHK4PQ3XRNI+spALzUQT+KECBsBCbw5VRi2DVcvQrKta26DdzVRo1q 10oljma4sFDVPURXmBafVbT5IIE9LZ1XkKsyNrzgFN/g7ATikcnxhADJIenG3ICp Rj0hjmZw4leSftK4IrsN28bZjKarB61EOvmCF+9M90bmoqt4R/Bpvq63ZDYIneAR oMS/iq4EAZHcv35kWwN65Dh1Qxb5ywedwBf/CxG06DNX9J3VGcNDe+f9E4vMQDAP tDb8HpitstTcva0OaJYpYxr1FJ48OVRlZZdCoxfaJVgaV0Nd0PGHTQrrFnPaOlU= =gv2z -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
