From: "J. Bruce Fields" <bfields@fieldses.org>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
David Noveck <david.noveck@emc.com>
Subject: Re: NFS: Treat NFS4ERR_CLID_INUSE as a fatal error
Date: Thu, 9 Aug 2012 17:38:38 -0400 [thread overview]
Message-ID: <20120809213838.GC11538@fieldses.org> (raw)
In-Reply-To: <6575B2FD-CCE4-40D5-9CBA-82681EC20E17@oracle.com>
On Thu, Aug 09, 2012 at 05:29:47PM -0400, Chuck Lever wrote:
>
> On Aug 9, 2012, at 5:13 PM, J. Bruce Fields wrote:
> > The server could just compare principal strings (and ignore
> > pseudoflavors) in the gss case.
>
> Barring a correction about how GSS Kerberos principals work, I think that's the correct approach.
I also don't know if principals produced by other mechanisms are going
to be comparable. Of course that's a bit academic given that kerberos
is the only mechanism for the forseeable future.
> > If the intention is to ensure that a clientid can't be "hijacked" by
> > someone malicious, then you don't want to allow a krb5 setclientid to
> > blow away a clientid established with krb5i. (If sending the
> > setclientid with krb5i indicates the client wants protection against
> > attacks which replace the body of the rpc, then a later krb5 setclientid
> > should be rejected, since it could be the product of such an attack.)
>
> If the client wants to avoid hijacking, it should start out with krb5i, as is recommended in the Security Considerations section of 3530(bis).
>
> The intention of 3530(bis) is that one client instance uses just one nfs_client_id4.id string. A client that attempts to change flavors on its SETCLIENTID/RENEW operations in mid-journey, on purpose, seems a little schizophrenic. I can't think of a good reason it should do this.
You don't know it's the same client any more. The attack is:
client sends setclientid with krb5i.
client later sends some other rpc with krb5.
attacker intercepts that operation, takes the rpc header, strips
out the body, and replaces the body by a setclientid operation
destroying the client's state.
Since krb5 only protects the header, the server can't tell that's what's
happened.
--b.
next prev parent reply other threads:[~2012-08-09 21:38 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-09 18:35 NFS: Treat NFS4ERR_CLID_INUSE as a fatal error J. Bruce Fields
2012-08-09 19:06 ` Chuck Lever
2012-08-09 19:37 ` J. Bruce Fields
2012-08-09 20:38 ` J. Bruce Fields
2012-08-09 20:46 ` Chuck Lever
2012-08-09 20:52 ` Chuck Lever
2012-08-09 21:13 ` J. Bruce Fields
2012-08-09 21:29 ` Chuck Lever
2012-08-09 21:38 ` J. Bruce Fields [this message]
2012-08-10 19:38 ` Chuck Lever
2012-08-10 20:13 ` J. Bruce Fields
2012-08-10 20:33 ` Chuck Lever
2012-08-10 20:39 ` J. Bruce Fields
2012-08-10 20:53 ` J. Bruce Fields
2012-08-10 21:22 ` Chuck Lever
2012-08-21 18:24 ` J. Bruce Fields
2012-08-21 18:57 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120809213838.GC11538@fieldses.org \
--to=bfields@fieldses.org \
--cc=chuck.lever@oracle.com \
--cc=david.noveck@emc.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox