[linux-cifs-client] mount.cifs with sec=krb5 where kerberos principal is not the same as file server
Jeff Layton
jlayton at samba.org
Wed Oct 28 12:28:36 MDT 2009
On Wed, 28 Oct 2009 13:49:58 +0100
Andrew Baumann <andrewb at inf.ethz.ch> wrote:
> Hi Jeff,
>
> On Wednesday 28 October 2009 13.31:27 Jeff Layton wrote:
> > The reason is that while CIFS doesn't currently do mutual krb5
> > authentication, eventually it should. The problem with trusting the
> > mechListMIC is that it makes the client susceptible to
> > man-in-the-middle attacks. An attacker could redirect traffic to a
> > server of his choosing (perhaps by spoofing DNS) and the client would
> > be none the wiser.
>
> Hm, I see. Do you happen to know if smbclient does this? In the interim,
> perhaps it would be useful to have a mount option that could specify the
> service principal explicitly.
>
Actually...I'm not terribly opposed to adding a mount option for this.
If someone wants to do the legwork on it and propose a patch, I'll be
happy to help review it.
--
Jeff Layton <jlayton at samba.org>
More information about the linux-cifs-client
mailing list