[linux-cifs-client] mount.cifs with sec=krb5 where kerberos principal is not the same as file server
Andrew Baumann
andrewb at inf.ethz.ch
Wed Oct 28 06:49:58 MDT 2009
Hi Jeff,
On Wednesday 28 October 2009 13.31:27 Jeff Layton wrote:
> The reason is that while CIFS doesn't currently do mutual krb5
> authentication, eventually it should. The problem with trusting the
> mechListMIC is that it makes the client susceptible to
> man-in-the-middle attacks. An attacker could redirect traffic to a
> server of his choosing (perhaps by spoofing DNS) and the client would
> be none the wiser.
Hm, I see. Do you happen to know if smbclient does this? In the interim,
perhaps it would be useful to have a mount option that could specify the
service principal explicitly.
> Now...when you say that fs-srv1 is a different host from the file
> server, what exactly do you mean?
I mean that it is a valid host with a different IP from the host with the
share, and it does not itself offer SMB service:
$ host fs.systems
fs.systems.inf.ethz.ch is an alias for fs-systems.inf.ethz.ch.
fs-systems.inf.ethz.ch has address 129.132.19.42
$ host fs-srv1
fs-srv1.ethz.ch is an alias for fs-srv1.inf.ethz.ch.
fs-srv1.inf.ethz.ch has address 129.132.19.5
$ telnet fs-srv1 microsoft-ds
Trying 129.132.19.5...
telnet: Unable to connect to remote host: Connection refused
(I don't know the exact details of the file service setup here, but I can find
out more if it's helpful).
Andrew
More information about the linux-cifs-client
mailing list