1

I have got the following setup: One linux machine is the backup storage for a whole network of machines. The network is considered save in the sense that no real bad guy is assumed on it. In the network are multiple nodes (A, B,...,F) that put their backups to the central server (not topic of this question). Each such node is dedicated to exactly one user.

The users should now be allowed to access their own backups. That is on the server there is a folder containing folders A through F containing the individual backup destinations. The users on the nodes should be able to access their own backups.

One idea was to use chrooted SSH connections to allow the connection to the individual backup paths. The other idea was to use NFS with kerberos. The IPs are assigned dynamically and cannot be fixed. There no option to change this behavior (see it as a restriction). So I cannot export the shares A thruough F to the IPs as these are not fixed.

Here is my question: Can I somehow restrict the access for some shares to be accessible only via kerberos for a subset of all known machines?

I thought of using different domains but I am unsure if this could work at all. Here I do not have enough insight in kerberos. Could you please give me advice before I mess with the whole network and in the end I do not reach anything useful.

Christian Wolf
  • 308
  • 3
  • 9

1 Answers1

0

No, you can't easily export a kerberos share to a subset of dynamic IP addresses. However, you can relatively easily export a kerberos share to a set of kerberized users.

A kerberized share acts much like a standard NFS share, but the client can't fake the uid it's operating under. Unix/posix ACLs should be set accordingly.

An NFS share can be set to both a specific subnet and require kerberos.

/srv/backup/A 203.0.113.0/25(ro,sec=krb5p)
/srv/backup/B 203.0.113.128/25(ro,sec=krb5p)

Both the client and the server need access to appropriate keytabs.
The server is nfs/<server.fqdn>@<REALM>.
The client (rpc.gssd) searches in order for:

<HOSTNAME>$@<REALM>  
root/<hostname>@<REALM>  
nfs/<hostname>@<REALM>  
host/<hostname>@<REALM>  
root/<anyname>@<REALM>  
nfs/<anyname>@<REALM>  
host/<anyname>@<REALM>

The client must have a valid ticket, usually obtained by pam_sss,pam_krb5,ssh -K, kinit, or k5start.

The server and the client must both resolve the same kerberos principals to the same usernames.

84104
  • 12,698
  • 6
  • 43
  • 75