Hello,
Doing the NFS server, we would like to provide RPC_GSSAPI for better
security.
I've got all information (I hope) that may be reached from RFCs. There are
still several things, that I miss in entire puzzle.
1) RPC_GSSAPI allows multiple pseudo-flavors (depending on mechanisms in
use). Which of them are actually in use and have to be supported? I mean
working with clients from Microsoft, Linux and major UNIXes (Sun?). Is
Kerberos enough?
2) What forces the client computer to use stronger security rather than
AUTH_UNIX over RPC. I have the total control of what's going on the server,
but plan no changes in configuration of clients.
3) How can I support both AUTH_UNIX and Kerberos over AUTH_RPCGSS in the
single installation. The question is not about security leaks but rather
about user identification: in case of AUTH_UNIX I get user ID/group ID with
RPC message. In case of Kerberos - I get ticket. How should I support the
single namespace of users for these 2 methods.
4) Where can I find good samples for using GSS for such kind of work?
5) Are sources for appropriated GSS implementation available somewhere and
under which conditions?
Thanks in advance
Vladimir
