From owner-freebsd-security  Mon Mar 12 10:19:36 2001
Delivered-To: freebsd-security@freebsd.org
Received: from polaris.we.lc.ehu.es (polaris.we.lc.ehu.es [158.227.6.43])
	by hub.freebsd.org (Postfix) with ESMTP id 050D237B718
	for <security@FreeBSD.org>; Mon, 12 Mar 2001 10:19:32 -0800 (PST)
	(envelope-from jose@we.lc.ehu.es)
Received: from v-ger.we.lc.ehu.es (v-ger [158.227.6.179])
	by polaris.we.lc.ehu.es (8.11.1/8.11.1) with ESMTP id f2CIJT906785
	for <security@FreeBSD.org>; Mon, 12 Mar 2001 19:19:29 +0100 (MET)
Received: from we.lc.ehu.es (localhost [127.0.0.1])
	by v-ger.we.lc.ehu.es (8.11.1/8.11.1) with ESMTP id f2CHvr700734
	for <security@FreeBSD.org>; Mon, 12 Mar 2001 18:57:53 +0100 (CET)
	(envelope-from jose@we.lc.ehu.es)
Message-ID: <3AAD0E21.4EDB1E4C@we.lc.ehu.es>
Date: Mon, 12 Mar 2001 18:57:53 +0100
From: "Jose M. Alcaide" <jose@we.lc.ehu.es>
Organization: Universidad del Pais Vasco - Dpto. de Electricidad y Electronica
X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: es-ES, es, en-US, en
MIME-Version: 1.0
To: security@FreeBSD.org
Subject: NFS and kerberos?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hello,

I want to authenticate NFS clients on an NFS server (all of them running
FreeBSD 4.3). I found that SecureRPC is not an option, but I also found
the "-kerb" flag in exports(5). However, the manpage says:

     The -kerb option specifies that the Kerberos authentication server should
     be used to authenticate and map client credentials.  This option requires
     that the kernel be built with the NFSKERB option.  The use of this option
     will prevent the kernel from compiling unless calls to the appropriate
     Kerberos encryption routines are provided in the NFS source.

I searched sys/nfs/* for NFSKERB and indeed I found some "XXX" placeholders
parenthesized by "#ifdef NFSKERB" for -I think- those calls to the Kerberos
encryption routines. Obviously the kernel cannot be compiled if NFSKERB
is #define'd.

My question is: can I use kerberos for NFS client authentication? If
I cannot, then I'll welcome any suggestions about how to share file
systems with authenticated clients.

TIA,
-- JMA
****** Jose M. Alcaide  //  jose@we.lc.ehu.es  //  jmas@FreeBSD.org ******
** "Beware of Programmers who carry screwdrivers" --  Leonard Brandwein **

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message