2

When NFSv4 is configured to use kerberos authentication is mandatory to have a keytab installed on every client with is own principal. To access files a user still needs to be authenticated with his principal.

What happens if a client keytab gets stolen? (or an attacker gets root privileges on a authorized client). Can the attacker use a modified version of NFS in order to bypass user authentication?

So I want to understand if user access control is performed by the client or by the server.

Bonus question: if the authorizing is done by the server, why does every client need a keytab?

Enrico Polesel
  • 201
  • 1
  • 4

1 Answers1

1

I am not a master of NFS, but a reading of RFC 7530 (and some NFS discussion archives) shows that NFSv4 has callbacks: a NFS server can contact a NFS client, and delegate certain responsibilities to the client. The callbacks allow improved network performance.

The presence of callbacks answers your final question "why does every client need a keytab?" The client needs a keytab so the server (during a callback) can authenticate the identity of the client. If a client keytab is stolen, the attacker could potentially imitate being that NFS client, and intercept or spoof NFS network traffic.

Access control is performed by the server, with the credentials sent by the client in the RPC request.

Community
  • 1
Jacob
  • 131
  • 5