Hi I’m still using gssproxy on the client side ( so that non interactive processes can access “kerberized” NFS volumes ) Note: I believe that the security issue was not a real issue, just the general recommendation not to run services unless you are actually using them Also, I believe that the use-gss-proxy parameter is still valid. The issue was just a man page issue … which I believe was resolved Andy > From: linux-nfs+owner@xxxxxxxxxxxxxxx <linux-nfs+owner@xxxxxxxxxxxxxxx> > > Your message to <linux-nfs@xxxxxxxxxxxxxxx> was not delivered to the list > because it contained a HTML part. Only text/plain messages are allowed on > this list. > > -----Original Message----- > From: Charles Hedrick <hedrick@xxxxxxxxxxx> > Sent: Thursday, September 4, 2025 12:53 PM > To: Andrew Romero <romero@xxxxxxxx>; linux-nfs@xxxxxxxxxxxxxxx > Subject: Re: GSSPROXY ( for NFS with sec=krb5, krb5i , krb5p ) is development > still active or is it being depreciated > > [EXTERNAL] – This message is from an external sender > > > From: Andrew J. Romero <romero@xxxxxxxx> > > > I noticed that in newer versions of Linux > > ( for example: Red Hat Enterprise v9 ), the > > parameter use-gss-proxy > > (in [gssd] section of /etc/nfs.conf file ) > >no longer exists. Why not ? > > > I have also read that some security specialists > > ( noted in stigviewer.com ) theorize that gssproxy > > increases security risk. > > > gssproxy facilitates the reliable use of Kerberos secured > > NFS storage by non-interactive processes. > > Note that there are two different uses for gssproxy, on client and server side of > NFS. On the server side there's no current alternative. The older rpc.svcgssd has > a limit to the ticket size that makes it not work reliably with the newest versions > of Kerberos (versions using PACs). > > We are currently using one of the kludges you refer to. I was planning to moving > to gssproxy with constrained delegation, since that is a standard feature and > thus likely to be easier for other staff to support. If there's serious plans to > decommission gssproxy, I'd like to know, so I can arrange to make my kludge > more supportable. Supporting cron jobs is essential.
