From: Chuck Lever <chuck.lever@oracle.com>
To: Tom Haynes <tdh-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org>
Cc: linux-nfs@vger.kernel.org
Subject: Re: Security negotiation
Date: Fri, 10 Jul 2009 14:57:18 -0400 [thread overview]
Message-ID: <D8976FEC-39F9-4FF4-8FCE-AB3D5B047DFB@oracle.com> (raw)
In-Reply-To: <4A578372.1020005-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org>
On Jul 10, 2009, at 2:07 PM, Tom Haynes wrote:
> During a NFSv3 mount request, the server returns an array of
> supported security flavors.
>
> With a Linux server, exports(5) states:
>
> For the purposes of security flavor negotiation, order counts:
> preferred flavors should be listed first.
>
> And the Solaris client states in mount_nfs(1M):
>
> NFS Version 3 mounts negotiate a security mode when the server
> returns an array of security modes. The
> client picks the first mode in the array that is supported on the
> client. In negotiations, an NFS Version 3 client
> is limited to the security flavors listed in /etc/nfssec.conf.
>
> The Linux nfs(5) states:
>
> If the sec option is not specified, or if sec=sys is specified,
> the NFS client uses the AUTH_SYS
> security flavor for all NFS requests on this mount point.
>
> So, I'm trying to understand what the Linux client would do if the
> export does not support AUTH_SYS and
> there is no sec= supplied.
>
> Does the Linux client traverse the array in order until it finds a
> match or does it consider which flavor is strongest?
The legacy mount command does this (kernels earlier than 2.6.23) but
the kernel mount client does not yet. I intend to submit patches for
this (today, actually) for 2.6.32.
The patches will walk the auth_list returned by mountd. By default it
will look for AUTH_SYS, otherwise it will look for the flavor
specified by the sec= mount option.
If mountd does not provide AUTH_SYS a mount request with no sec= will
fail. Should it try the first one in the list instead? What if the
first one is AUTH_NULL?
--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com
next prev parent reply other threads:[~2009-07-10 18:57 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-10 18:07 Security negotiation Tom Haynes
[not found] ` <4A578372.1020005-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org>
2009-07-10 18:57 ` Chuck Lever [this message]
2009-07-10 20:11 ` Chuck Lever
2009-07-10 20:55 ` Tom Haynes
[not found] ` <4A57AADE.8080002-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org>
2009-07-10 21:37 ` Chuck Lever
2009-07-10 22:38 ` Tom Haynes
[not found] ` <4A57C2F3.4070109-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org>
2009-07-10 22:45 ` Trond Myklebust
[not found] ` <1247265922.8254.30.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-07-13 16:07 ` Tom Haynes
2009-07-13 16:20 ` Trond Myklebust
[not found] ` <1247502007.14524.3.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-07-13 16:44 ` Tom Haynes
2009-07-13 17:41 ` J. Bruce Fields
2009-07-14 18:24 ` Tom Haynes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D8976FEC-39F9-4FF4-8FCE-AB3D5B047DFB@oracle.com \
--to=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
--cc=tdh-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox