From: Steve Dickson <SteveD@redhat.com>
To: "Myklebust, Trond" <Trond.Myklebust@netapp.com>
Cc: Linux NFS Mailing list <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] Adding the nfs4_use_min_auth module parameter
Date: Fri, 08 Nov 2013 07:21:57 -0500 [thread overview]
Message-ID: <527CD765.1000903@RedHat.com> (raw)
In-Reply-To: <1383863394.12966.63.camel@leira.trondhjem.org>
On 07/11/13 17:29, Myklebust, Trond wrote:
>> Again, what servers, today, support this type of secure state establishment?
>> > Having this type of security in the client I think is good... but if
>> > the client is not talking with any servers that support this type
>> > of security, why not have a way to turn it off?
> I don't understand. Servers are _required_ to support RPCSEC_GSS with
> krb5 by both RFC3530 and RFC5661. AUTH_SYS is, in fact, the optional
> flavour.
Agreed... 100% of the NFSv4 server have to support RPCSEC_GSS. its mandated
by the spec(s).
>
> The problem here is that sometimes kerberos isn't configured by the
> admin, who then expects that it shouldn't be necessary to run rpc.gssd
> or rpc.svcgssd. It is necessary because we first try the
> mandatory-to-implement and secure RPCSEC_GSS/krb5i flavour before
> falling back to the less secure AUTH_SYS...
Sometimes? Its generally not.. from my experience...
Basically how I interpret this last paragraph, is we will be requiring
admins set up secure mounts for them to avoid the 15sec delay mount
times... aka... running a daemon that will say "no, no there is no
security here" while spewing of log messages when Kerberos is not setup...
>
>>>>>>> > >>> > > I think we should rather looks at adding a new mount option for
>>>>>>> > >>> > > specifying the security flavour to use when establishing basic NFSv4.x
>>>>>>> > >>> > > state, and then perhaps specifying the _default_ for that mount option
>>>>>>> > >>> > > using a module parameter.
>>>>> > >> > The problem is everything is hard code in these two areas so having
>>>>> > >> > a mount option would not work...
>>> > > We can change that code.
>>> > >
>>>>> > >> > The fact that -o sec=sys does not turn off the use of AUTH_GSS_KRB5x
>>>>> > >> > is simple wrong... IMHO...
>>> > > I beg to differ. The problem previously was that it _did_ set the policy
>>> > > for the state management, and that meant that if you has 2 mounts on the
>>> > > same server with different security flavours, then then client behaviour
>>> > > depended on the order of the mounts. Get the order wrong, and you get
>>> > > anything from outright errors (CLID_IN_USE) to insecure behaviour.
>> > I see your point... but requiring all mounts to use some form
>> > of security I don't think is the answer either...
> I'm saying that we may need a way to specify the security flavour to be
> used by the client's state manager when establishing the NFSv4 lease,
> and that would need to be done on a per-server basis.
Yes! I agree... But we also have to have away turn off secure lease
establishments when the server does support such technology.
I'm not saying we don't need this type of technology, I'm saying
we need a better to manage it. Having this module parameter is
away to manage it.
steved.
next prev parent reply other threads:[~2013-11-08 12:20 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-07 19:09 [PATCH] Adding the nfs4_use_min_auth module parameter Steve Dickson
2013-11-07 19:25 ` Chuck Lever
2013-11-07 21:01 ` Jeff Layton
2013-11-07 21:40 ` Steve Dickson
2013-11-07 22:04 ` Jeff Layton
2013-11-07 21:35 ` Steve Dickson
2013-11-07 23:05 ` Chuck Lever
2013-11-08 12:41 ` Steve Dickson
2013-11-08 13:22 ` Jeff Layton
2013-11-08 15:00 ` Steve Dickson
2013-11-08 15:12 ` Jeff Layton
2013-11-08 16:10 ` Steve Dickson
2013-11-08 16:17 ` J. Bruce Fields
2013-11-08 16:19 ` Steve Dickson
2013-11-08 16:22 ` J. Bruce Fields
2013-11-08 16:28 ` Steve Dickson
2013-11-08 16:39 ` J. Bruce Fields
2013-11-08 16:45 ` Steve Dickson
2013-11-08 18:12 ` Chuck Lever
2013-11-08 18:09 ` Chuck Lever
2013-11-08 20:14 ` J. Bruce Fields
2013-11-08 20:32 ` Steve Dickson
2013-11-09 2:04 ` NeilBrown
2013-11-08 16:27 ` Weston Andros Adamson
2013-11-08 16:38 ` Steve Dickson
2013-11-08 15:04 ` J. Bruce Fields
2013-11-08 15:54 ` Chuck Lever
2013-11-08 16:14 ` J. Bruce Fields
2013-11-08 17:58 ` Chuck Lever
2013-11-08 18:46 ` Chuck Lever
2013-11-08 21:09 ` J. Bruce Fields
2013-11-08 16:17 ` Steve Dickson
2013-11-08 15:46 ` Chuck Lever
2013-11-08 21:25 ` Steve Dickson
2013-11-07 19:26 ` Myklebust, Trond
2013-11-07 21:25 ` Steve Dickson
2013-11-07 21:39 ` Myklebust, Trond
2013-11-07 21:57 ` Steve Dickson
2013-11-07 22:29 ` Myklebust, Trond
2013-11-08 12:21 ` Steve Dickson [this message]
2013-11-08 14:30 ` Myklebust, Trond
2013-11-08 15:08 ` Steve Dickson
2013-11-08 15:16 ` Myklebust, Trond
2013-11-08 16:31 ` Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=527CD765.1000903@RedHat.com \
--to=steved@redhat.com \
--cc=Trond.Myklebust@netapp.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).