From: "J. Bruce Fields" <bfields@fieldses.org>
To: Simo Sorce <simo@redhat.com>
Cc: bfields@redhat.com, linux-nfs@vger.kernel.org
Subject: Re: [PATCH 2/4] SUNRPC: Document a bit RPCGSS handling in the NFS Server
Date: Mon, 21 May 2012 17:55:45 -0400 [thread overview]
Message-ID: <20120521215544.GD28221@fieldses.org> (raw)
In-Reply-To: <1337087550-9821-3-git-send-email-simo@redhat.com>
On Tue, May 15, 2012 at 09:12:28AM -0400, Simo Sorce wrote:
> Includes changes intorduced by GSS-Proxy.
>
> Signed-off-by: Simo Sorce <simo@redhat.com>
> ---
> Documentation/filesystems/nfs/00-INDEX | 2 +
> Documentation/filesystems/nfs/knfsd-rpcgss.txt | 65 ++++++++++++++++++++++++
> 2 files changed, 67 insertions(+), 0 deletions(-)
> create mode 100644 Documentation/filesystems/nfs/knfsd-rpcgss.txt
>
> diff --git a/Documentation/filesystems/nfs/00-INDEX b/Documentation/filesystems/nfs/00-INDEX
> index 1716874a651e1c574e7ca9719dfb4e3521b0a5e9..66eb6c8c5334518ddbc10115c7b34b4dfb1b3c0e 100644
> --- a/Documentation/filesystems/nfs/00-INDEX
> +++ b/Documentation/filesystems/nfs/00-INDEX
> @@ -20,3 +20,5 @@ rpc-cache.txt
> - introduction to the caching mechanisms in the sunrpc layer.
> idmapper.txt
> - information for configuring request-keys to be used by idmapper
> +knfsd-rpcgss.txt
> + - Information on GSS authentication support in the NFS Server
> diff --git a/Documentation/filesystems/nfs/knfsd-rpcgss.txt b/Documentation/filesystems/nfs/knfsd-rpcgss.txt
> new file mode 100644
> index 0000000000000000000000000000000000000000..914aa536273b986539d7859092e2c0f139ce5535
> --- /dev/null
> +++ b/Documentation/filesystems/nfs/knfsd-rpcgss.txt
> @@ -0,0 +1,65 @@
> +
> +Kernel NFS Server RPCGSS Support
> +================================
> +
> +This document gives references to the standards and protocols used to
> +implement RPCGSS authentication in the NFS Server.
> +
> +RPCGSS is specified in a few IETF documents:
> + - RFC2203 v1: http://tools.ietf.org/rfc/rfc2203.txt
> + - RFC5403 v2: http://tools.ietf.org/rfc/rfc5403.txt
> +and there is a 3rd version being proposed:
> + - http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt
> + (At draft n. 02 at the time of writing)
> +
> +Background
> +----------
> +
> +The RPCGSS Authentication method describes a way to perform GSSAPI
> +Authentication for NFS.
> +Although GSSAPI is itself completely mechanism agnostic, in many cases only
> +the KRB5 mechanism is supported by NFS implementations.
> +
> +The Linux kernel, at the moment, supports only the KRB5 mechanism, and depends
> +on GSSAPI extensions that are KRB5 specific.
> +
> +GSSAPI is a complex library, and implementing it completely in kernel is
> +unwarranted. However GSSAPI operations are fundementally separable in 2 parts:
> +- context establishment
> +- integrity/privacy protection (read: signing and encrypting)
> +
> +The first part is the complex one, while the actual integrity and privacy
> +protecion is simple enough.
> +Because of the complexity of context establishment, the NFS Server defers the
> +operation to the userspace througuh the use of upcalls.
> +
> +NFS Server Legacy Upcall mechanism
> +----------------------------------
> +
> +The classic upcall mechanism uses a custom text based upcall mechanism to talk
> +to a custom daemon called rpc.svcgssd that is provide by the nfs-utils package.
> +
> +This upcall mechanism has 2 limitations:
> +A) Can handle tokens that are no bigger than 2KiB
> +
> +In some Kerberos deployment GSSAPI tokens can be quite big, up and beyond 64KiB
> +in size due to various authorization extensions attacked to the Kerberos
> +tickets, that needs to be sent through the GSS layer in order to perform
> +context establishment.
> +
> +B) Does not properly handle creds where the user is member of more than a few
> +housand groups (the current hard limit in the kernel is 65K groups) due to
> +limitation on the size of the buffer that can be send back to the kernel (4KiB).
> +
> +NFS Server New RPC Upcall mechanism
> +-----------------------------------
> +
> +A new upcall mechanism that uses RPC over a Unix socket is added. This
> +mechanism uses a protocol called gss-proxy, and user space program that
> +implements it called Gssproxy. The gss_proxy RPC protocol is currently document
> +here: https://fedorahosted.org/gss-proxy/wiki/ProtocolDocumentation
That's helpful, thanks.
I thought there were a couple other ways in which the gss-proxy<->kernel
protocol would differ slightly from the full protocol. (Some fields
which we "know" will always be left empty?) Do I remember right, and if
so are those documented someplace too?
--b.
> +
> +This upcall mechanism uses the kernel rpc client and connects to the gssproxy
> +userspace program over a regular unix socket. The gssproxy protocol does not
> +suffer from the size limitations of the legacy protocol.
> +
> --
> 1.7.7.6
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-05-21 21:55 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-15 13:12 [PATCH 0/4] Add support for new upcall mechanism for nfsd Simo Sorce
2012-05-15 13:12 ` [PATCH 1/4] SUNRPC: conditionally return endtime from import_sec_context Simo Sorce
2012-05-21 21:52 ` J. Bruce Fields
2012-05-15 13:12 ` [PATCH 2/4] SUNRPC: Document a bit RPCGSS handling in the NFS Server Simo Sorce
2012-05-21 21:55 ` J. Bruce Fields [this message]
2012-05-22 0:37 ` Simo Sorce
2012-05-15 13:12 ` [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth Simo Sorce
2012-05-22 12:47 ` J. Bruce Fields
2012-05-22 13:00 ` Simo Sorce
2012-05-22 13:17 ` Stanislav Kinsbursky
2012-05-22 13:22 ` Simo Sorce
2012-05-22 13:32 ` Stanislav Kinsbursky
2012-05-22 14:20 ` J. Bruce Fields
2012-05-22 14:44 ` Stanislav Kinsbursky
2012-05-22 15:07 ` J. Bruce Fields
2012-05-22 15:16 ` Simo Sorce
2012-05-22 15:31 ` J. Bruce Fields
2012-05-22 15:44 ` Simo Sorce
2012-05-22 15:19 ` Stanislav Kinsbursky
2012-05-22 18:11 ` J. Bruce Fields
2012-05-22 18:41 ` Stanislav Kinsbursky
2012-05-22 14:58 ` Simo Sorce
2012-05-22 15:10 ` Stanislav Kinsbursky
2012-05-22 15:18 ` Simo Sorce
2012-05-22 15:23 ` Stanislav Kinsbursky
2012-05-22 13:00 ` Stanislav Kinsbursky
2012-05-22 15:02 ` J. Bruce Fields
2012-05-22 15:15 ` Simo Sorce
2012-05-22 15:29 ` J. Bruce Fields
2012-05-22 15:40 ` Simo Sorce
2012-05-22 22:49 ` J. Bruce Fields
2012-05-22 22:52 ` Simo Sorce
2012-05-22 15:03 ` J. Bruce Fields
2012-05-22 15:12 ` Simo Sorce
2012-05-22 15:24 ` J. Bruce Fields
2012-05-22 15:36 ` Simo Sorce
2012-05-15 13:12 ` [PATCH 4/4] SUNRPC: Use gssproxy upcall for nfsd's RPCGSS authentication Simo Sorce
2012-05-22 22:48 ` J. Bruce Fields
2012-05-24 4:31 ` Simo Sorce
2012-05-24 11:08 ` J. Bruce Fields
2012-05-24 13:19 ` Simo Sorce
2012-05-25 14:05 ` J. Bruce Fields
2012-05-25 15:37 ` Simo Sorce
-- strict thread matches above, loose matches on Subject: below --
2012-05-25 22:09 [PATCH 0/4] Add support for new RPCSEC_GSS upcall mechanism for nfsd Simo Sorce
2012-05-25 22:09 ` [PATCH 2/4] SUNRPC: Document a bit RPCGSS handling in the NFS Server Simo Sorce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120521215544.GD28221@fieldses.org \
--to=bfields@fieldses.org \
--cc=bfields@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=simo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).