alt Hacker News> The fact that NFSv4 has no concept of true "Authentication" and just blindly accepts whatever the client sends is the craziest network application design ever
Doesn’t the secure option require ports only a root user can bind too? And you can always create secure tunnels if the physical network is insecure.
Sure, if you (the admin) have full control over the NFS server, the network, and the client devices, NFS can be secure with the help of Kerberos. But this isn't a simple thing. A Kerberos server needs to be set up, Kerberos clients need to be configured on the NFS server and client, tickets need to be issued, firewall ports need to be opened, and user accounts need to be centrally managed. That's all fine for an Enterprise.
Now, how about this common scenario: I want to run a file-sharing server on my network. I want a random "friend" to come over and grab a copy of a file, but I don't want them to see any other files on the NFS server.
So, the "friend" has root access on their device. They can just log in and lie to the NFS server, claim they're my UID, and see all my files that I didn't want them to access. Configuring KRB in that scenario is totally impractical.