> From: Andrew J. Romero <romero@xxxxxxxx> > I noticed that in newer versions of Linux > ( for example: Red Hat Enterprise v9 ), the > parameter use-gss-proxy > (in [gssd] section of /etc/nfs.conf file ) >no longer exists. Why not ? > I have also read that some security specialists > ( noted in stigviewer.com ) theorize that gssproxy > increases security risk. > gssproxy facilitates the reliable use of Kerberos secured > NFS storage by non-interactive processes. Note that there are two different uses for gssproxy, on client and server side of NFS. On the server side there's no current alternative. The older rpc.svcgssd has a limit to the ticket size that makes it not work reliably with the newest versions of Kerberos (versions using PACs). We are currently using one of the kludges you refer to. I was planning to moving to gssproxy with constrained delegation, since that is a standard feature and thus likely to be easier for other staff to support. If there's serious plans to decommission gssproxy, I'd like to know, so I can arrange to make my kludge more supportable. Supporting cron jobs is essential.
