From: "J. Bruce Fields" <bfields@fieldses.org>
To: Jeff Layton <jlayton@redhat.com>
Cc: linux-nfs@vger.kernel.org, Andy Adamson <androsadamson@gmail.com>,
chuck.lever@oracle.com, trond.myklebust@primarydata.com
Subject: Re: v4.0 CB_COMPOUND authentication failures
Date: Tue, 8 Apr 2014 08:35:01 -0400 [thread overview]
Message-ID: <20140408123501.GA3532@fieldses.org> (raw)
In-Reply-To: <20140408082140.340c1328@tlielax.poochiereds.net>
On Tue, Apr 08, 2014 at 08:21:40AM -0400, Jeff Layton wrote:
> I've recently been hunting down some problems with delegation handling
> and have run across a problem with the client authenticates CB_COMPOUND
> requests. I could use some advice on how best to fix it.
>
> Specifically, check_gss_callback_principal() tries to look up the
> callback client and then tries to compare the ticket in it against the
> clp->cl_hostname:
>
> /* Expect a GSS_C_NT_HOSTBASED_NAME like "nfs@serverhostname" */
>
> if (memcmp(p, "nfs@", 4) != 0)
> return 0;
> p += 4;
> if (strcmp(p, clp->cl_hostname) != 0)
> return 0;
> return 1;
>
> The problem is that there is no guarantee that those hostnames will be
> the same. If, for instance, I mount "foo:/" and the SPN is
> "nfs/foo.bar.baz" that strcmp will return true, and the CB_COMPOUND
> request will get tossed out [1]. Ditto if I happen to mount a CNAME of the
> server.
It sounds like a bug to me that the mount is succeeding without the name
matching.
The security provided by krb5 is much weaker if we don't check that the
name provided on the commandline matches what the server authenticates
as.
> Now that we try to use krb5 on the callback channel even when sec=sys
> is specified, this is very problematic.
And similarly I think the attempt to opportunistically use krb5 for
state management should fail and fall back on auth_sys if the server's
name doesn't match.
> I think that the ideal thing would be to stash the SPN that we use to
> do the SETCLIENTID call and use that in the comparison above.
> Unfortunately, the rpc_cred doesn't really seem to carry this info and
> I don't see where we get enough information in the rpc.gssd downcall to
> figure out what that SPN should be.
>
> Anyone have thoughts or should we just remove the above check until we
> come up with a better way to do this?
>
> [1]: there's another bug that can cause the client to send a bogus
> reply instead of dropping the request as intended, but that's
> relatively simple to fix.
So I believe the matching really is a requirement and that it would be
wrong to weaken it.
It sounds like there's also a server bug here if it's giving out
delegations to a client that isn't responding to callbacks.
--b.
next prev parent reply other threads:[~2014-04-08 12:35 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-08 12:21 v4.0 CB_COMPOUND authentication failures Jeff Layton
2014-04-08 12:35 ` J. Bruce Fields [this message]
2014-04-08 12:42 ` Trond Myklebust
2014-04-08 12:57 ` Dr Fields James Bruce
2014-04-08 13:49 ` Jeff Layton
2014-04-08 14:03 ` J. Bruce Fields
2014-04-08 14:22 ` Jeff Layton
2014-04-08 14:41 ` Jeff Layton
2014-04-08 14:47 ` J. Bruce Fields
2014-04-08 14:23 ` Trond Myklebust
2014-04-08 14:46 ` Dr Fields James Bruce
2014-04-08 15:04 ` Jeff Layton
2014-04-08 15:13 ` Dr Fields James Bruce
2014-04-08 17:25 ` Simo Sorce
2014-04-08 17:28 ` Jeff Layton
2014-04-08 16:22 ` Trond Myklebust
2014-04-08 16:40 ` Dr Fields James Bruce
2014-04-08 17:30 ` Trond Myklebust
2014-04-08 17:55 ` Jeff Layton
2014-04-08 18:03 ` Trond Myklebust
2014-04-08 18:24 ` Jeff Layton
2014-04-08 18:45 ` Trond Myklebust
2014-04-08 18:49 ` Jeff Layton
2014-04-08 18:03 ` Dr Fields James Bruce
2014-04-08 16:44 ` Jeff Layton
2014-04-08 17:27 ` Simo Sorce
2014-04-08 17:30 ` Jeff Layton
2014-04-08 17:39 ` Frank Filz
2014-04-08 17:59 ` Jeff Layton
2014-04-08 18:06 ` Simo Sorce
2014-04-08 22:44 ` Frank Filz
2014-04-08 22:52 ` Simo Sorce
2014-04-08 23:31 ` Frank Filz
2014-04-08 18:01 ` Simo Sorce
2014-04-08 18:04 ` Jeff Layton
2014-04-08 18:08 ` Simo Sorce
2014-04-08 18:11 ` Dr Fields James Bruce
2014-04-08 18:52 ` Simo Sorce
2014-04-08 19:01 ` Trond Myklebust
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140408123501.GA3532@fieldses.org \
--to=bfields@fieldses.org \
--cc=androsadamson@gmail.com \
--cc=chuck.lever@oracle.com \
--cc=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=trond.myklebust@primarydata.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.