From: Jeff Layton <jlayton@redhat.com>
To: David Howells <dhowells@redhat.com>
Cc: lsf-pc@lists.linuxfoundation.org, linux-fsdevel@vger.kernel.org,
linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org
Subject: Re: [LSF/MM TOPIC] Unified keys for NFS, CIFS and AFS for security data
Date: Sat, 5 Feb 2011 08:03:32 -0500 [thread overview]
Message-ID: <20110205080332.4899b352@corrin.poochiereds.net> (raw)
In-Reply-To: <3599.1295624067@redhat.com>
On Fri, 21 Jan 2011 15:34:27 +0000
David Howells <dhowells@redhat.com> wrote:
>
> I'd like to propose a discussion topic for the LSF: how best to implement a
> common key type for use by NFS, CIFS and AFS such that, say, a kerberos key
> can be encapsulated within one and then be pulled out by various filesystems.
>
> Furthermore, it would be necessary to allow the request_key() upcall mechanism
> to perform GSSAPI queries.
>
I would be interested in discussing this as well. Currently CIFS
"punts" to some degree and offloads almost all of the SPNEGO blob
construction to userspace. So, for CIFS this would involve moving more
of this code into the kernel. I think that's a good thing since it will
make it easier to do mutual-authentication, etc...
This would make it more plausible to store krb5 credcaches in the
kernel keyring too. Modern MIT krb5 libs can do this today (I think),
but most of the kernel upcalls rely on FILE: credcaches. Breaking that
dependency would be nice.
The difficulty here is that request_key() is "stateless", so we need to
think about how to manage GSSAPI contexts across multiple upcalls...or
plan to implement large swaths of the GSSAPI in-kernel.
It might also be helpful to couple this with some consolidation and
cleanup of the ASN.1 parsing code in the kernel. There are at least 3
separate implementations in the kernel today (one in cifs, one in
sunrpc, and one in iptables).
Since Trond's original email asked what I expertise I would bring to
the table:
I currently maintain the cifs-utils package which contains the
cifs.upcall program, and wrote most of the in-kernel pieces of the
current SPNEGO/krb5 upcall for CIFS. I've also done a some work on
the GSSAPI upcall pieces in the RPC layer and in nfs-utils.
--
Jeff Layton <jlayton@redhat.com>
next prev parent reply other threads:[~2011-02-05 12:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-21 15:34 [LSF/MM TOPIC] Unified keys for NFS, CIFS and AFS for security data David Howells
2011-02-05 13:03 ` Jeff Layton [this message]
2011-02-05 15:55 ` Steve French
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110205080332.4899b352@corrin.poochiereds.net \
--to=jlayton@redhat.com \
--cc=dhowells@redhat.com \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=lsf-pc@lists.linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).