From: Dr Fields James Bruce <bfields@fieldses.org>
To: Jeff Layton <jlayton@redhat.com>
Cc: Trond Myklebust <trond.myklebust@primarydata.com>,
NFS <linux-nfs@vger.kernel.org>,
Adamson William Andros <androsadamson@gmail.com>,
Lever Charles Edward <chuck.lever@oracle.com>
Subject: Re: v4.0 CB_COMPOUND authentication failures
Date: Tue, 8 Apr 2014 14:03:10 -0400 [thread overview]
Message-ID: <20140408180310.GC9457@fieldses.org> (raw)
In-Reply-To: <20140408135512.2397d97f@tlielax.poochiereds.net>
On Tue, Apr 08, 2014 at 01:55:12PM -0400, Jeff Layton wrote:
> On Tue, 8 Apr 2014 13:30:21 -0400
> Trond Myklebust <trond.myklebust@primarydata.com> wrote:
>
> >
> > On Apr 8, 2014, at 12:40, Dr Fields James Bruce <bfields@fieldses.org> wrote:
> > >
> > > On Tue, Apr 08, 2014 at 12:22:51PM -0400, Trond Myklebust wrote:
> > >> How is it not better just to rip out that hostname comparison in the
> > >> back channel?
> > >
> > > Rip it out entirely?
> > >
> > > At that point anyone who can get a credential in the right realm can
> > > send a recall. RFC made this requirement to prevent that.
> > >
> >
> > OK. Let’s examine what RFC3530 and RFC3530bis actually says here:
> >
> > Regardless of what security mechanism under RPCSEC_GSS is being used,
> > the NFS server MUST identify itself in GSS-API via a
> > GSS_C_NT_HOSTBASED_SERVICE name type. GSS_C_NT_HOSTBASED_SERVICE
> > names are of the form:
> >
> > service@hostname
> >
> > For NFS, the "service" element is
> >
> > nfs
> >
> > Implementations of security mechanisms will convert nfs@hostname to
> > various different forms. For Kerberos V5, the following form is
> > RECOMMENDED:
> >
> > nfs/hostname
> >
> > For Kerberos V5, nfs/hostname would be a server principal in the
> > Kerberos Key Distribution Center database. This is the same
> > principal the client acquired a GSS-API context for when it issued
> > the SETCLIENTID operation, therefore, the realm name for the server
> > principal must be the same for the callback as it was for the
> > SETCLIENTID.
> >
> >
> > So as I read the above, technically the client is supposed to read off the principal name that the server uses to authenticate itself to the SETCLIENTID and check that in the callback. Am I wrong?
> >
> > If so, then the steps are:
> >
> > 1) Modify process_krb5_upcall() and have the call to gss_inquire_context() also request the context acceptor name
> > 2) Modify the rpc.gssd downcall to pass that name to the kernel in some format that allow us to retrieve it in the SETCLIENTID call.
> > 3) Modify the comparison in check_gss_callback_principal()
> >
> >
>
> Sounds about right, with #2 being the difficult part...
>
> One possibility for that would be to add a new "acceptor" pipe in the
> clnt?? dirs. Teach gssd to write to the acceptor name to that pipe
> before doing the regular downcall.
>
> The name written there could then be hung off of the clp. If userland
> fails to write the name to the pipe before doing the downcall, we'll
> simply do what we do today (use the cl_hostname).
>
> Adding a new pipe is a bit of a pain, but it does sidestep the problem
> of mismatched kernel and userland...
I guess you could look at gss_pipe_downcall(), pick a case that
currently reliably errors out, and use that.
E.g., the new downcall format could be designed to be > 1024 bytes, and
gssd could fall back on the old call if that failed.
--b.
next prev parent reply other threads:[~2014-04-08 18:03 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-08 12:21 v4.0 CB_COMPOUND authentication failures Jeff Layton
2014-04-08 12:35 ` J. Bruce Fields
2014-04-08 12:42 ` Trond Myklebust
2014-04-08 12:57 ` Dr Fields James Bruce
2014-04-08 13:49 ` Jeff Layton
2014-04-08 14:03 ` J. Bruce Fields
2014-04-08 14:22 ` Jeff Layton
2014-04-08 14:41 ` Jeff Layton
2014-04-08 14:47 ` J. Bruce Fields
2014-04-08 14:23 ` Trond Myklebust
2014-04-08 14:46 ` Dr Fields James Bruce
2014-04-08 15:04 ` Jeff Layton
2014-04-08 15:13 ` Dr Fields James Bruce
2014-04-08 17:25 ` Simo Sorce
2014-04-08 17:28 ` Jeff Layton
2014-04-08 16:22 ` Trond Myklebust
2014-04-08 16:40 ` Dr Fields James Bruce
2014-04-08 17:30 ` Trond Myklebust
2014-04-08 17:55 ` Jeff Layton
2014-04-08 18:03 ` Trond Myklebust
2014-04-08 18:24 ` Jeff Layton
2014-04-08 18:45 ` Trond Myklebust
2014-04-08 18:49 ` Jeff Layton
2014-04-08 18:03 ` Dr Fields James Bruce [this message]
2014-04-08 16:44 ` Jeff Layton
2014-04-08 17:27 ` Simo Sorce
2014-04-08 17:30 ` Jeff Layton
2014-04-08 17:39 ` Frank Filz
2014-04-08 17:59 ` Jeff Layton
2014-04-08 18:06 ` Simo Sorce
2014-04-08 22:44 ` Frank Filz
2014-04-08 22:52 ` Simo Sorce
2014-04-08 23:31 ` Frank Filz
2014-04-08 18:01 ` Simo Sorce
2014-04-08 18:04 ` Jeff Layton
2014-04-08 18:08 ` Simo Sorce
2014-04-08 18:11 ` Dr Fields James Bruce
2014-04-08 18:52 ` Simo Sorce
2014-04-08 19:01 ` Trond Myklebust
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140408180310.GC9457@fieldses.org \
--to=bfields@fieldses.org \
--cc=androsadamson@gmail.com \
--cc=chuck.lever@oracle.com \
--cc=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=trond.myklebust@primarydata.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.