From: "J. Bruce Fields" <bfields@fieldses.org>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
David Noveck <david.noveck@emc.com>
Subject: Re: NFS: Treat NFS4ERR_CLID_INUSE as a fatal error
Date: Thu, 9 Aug 2012 17:38:38 -0400 [thread overview]
Message-ID: <20120809213838.GC11538@fieldses.org> (raw)
In-Reply-To: <6575B2FD-CCE4-40D5-9CBA-82681EC20E17@oracle.com>
On Thu, Aug 09, 2012 at 05:29:47PM -0400, Chuck Lever wrote:
>
> On Aug 9, 2012, at 5:13 PM, J. Bruce Fields wrote:
> > The server could just compare principal strings (and ignore
> > pseudoflavors) in the gss case.
>
> Barring a correction about how GSS Kerberos principals work, I think that's the correct approach.
I also don't know if principals produced by other mechanisms are going
to be comparable. Of course that's a bit academic given that kerberos
is the only mechanism for the forseeable future.
> > If the intention is to ensure that a clientid can't be "hijacked" by
> > someone malicious, then you don't want to allow a krb5 setclientid to
> > blow away a clientid established with krb5i. (If sending the
> > setclientid with krb5i indicates the client wants protection against
> > attacks which replace the body of the rpc, then a later krb5 setclientid
> > should be rejected, since it could be the product of such an attack.)
>
> If the client wants to avoid hijacking, it should start out with krb5i, as is recommended in the Security Considerations section of 3530(bis).
>
> The intention of 3530(bis) is that one client instance uses just one nfs_client_id4.id string. A client that attempts to change flavors on its SETCLIENTID/RENEW operations in mid-journey, on purpose, seems a little schizophrenic. I can't think of a good reason it should do this.
You don't know it's the same client any more. The attack is:
client sends setclientid with krb5i.
client later sends some other rpc with krb5.
attacker intercepts that operation, takes the rpc header, strips
out the body, and replaces the body by a setclientid operation
destroying the client's state.
Since krb5 only protects the header, the server can't tell that's what's
happened.
--b.
next prev parent reply other threads:[~2012-08-09 21:38 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-09 18:35 NFS: Treat NFS4ERR_CLID_INUSE as a fatal error J. Bruce Fields
2012-08-09 19:06 ` Chuck Lever
2012-08-09 19:37 ` J. Bruce Fields
2012-08-09 20:38 ` J. Bruce Fields
2012-08-09 20:46 ` Chuck Lever
2012-08-09 20:52 ` Chuck Lever
2012-08-09 21:13 ` J. Bruce Fields
2012-08-09 21:29 ` Chuck Lever
2012-08-09 21:38 ` J. Bruce Fields [this message]
2012-08-10 19:38 ` Chuck Lever
2012-08-10 20:13 ` J. Bruce Fields
2012-08-10 20:33 ` Chuck Lever
2012-08-10 20:39 ` J. Bruce Fields
2012-08-10 20:53 ` J. Bruce Fields
2012-08-10 21:22 ` Chuck Lever
2012-08-21 18:24 ` J. Bruce Fields
2012-08-21 18:57 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120809213838.GC11538@fieldses.org \
--to=bfields@fieldses.org \
--cc=chuck.lever@oracle.com \
--cc=david.noveck@emc.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.