GSSPROXY ( for NFS with sec=krb5, krb5i , krb5p ) is development still active or is it being depreciated

GSSPROXY ( for NFS with sec=krb5, krb5i , krb5p ) is development still active or is it being depreciated

[Andrew J. Romero]

Hi

I noticed that in newer versions of Linux 
( for example: Red Hat Enterprise v9 ), the 
parameter  use-gss-proxy 
(in [gssd] section of /etc/nfs.conf file )
no longer exists.  Why not ?


I have also read that some security specialists
( noted in stigviewer.com ) theorize that gssproxy
increases security risk.


gssproxy facilitates the reliable use of Kerberos secured
NFS storage by non-interactive processes.

What are the plans for gssproxy:

a) continue to actively maintain gssproxy
   ( and resolve any security concerns )

b) quickly replace gssproxy with another
   facility to allow non-interactive processes
   to access Kerberos secured
   NFS storage

c) Declare that non-interactive process access to
   Kerberos secured NFS storage is being depreciated
   and people should either revert back to kludgy kinit cron scripts
   and the flakey gss kernel context behavior of the past
   or seek non-NFS solutions.  

Thanks

Andy Romero
Fermilab / ITD

RE: GSSPROXY ( for NFS with sec=krb5, krb5i , krb5p ) is development still active or is it being depreciated

[Andrew J. Romero]

Hi

Alexander Bokovoy provided excellent answers to most of my questions on this topic
See: Thread: gssproxy  security, configuration and life-cycle questions
on gss-proxy@lists.fedorahosted.org

Remaining question:  

Prior to RHEL-9 , in the section of the gssd man page
   ( under the heading CONFIGURATION FILE ...
    ....options  that  can be set on the command line can also be controlled through 
    .... values set in the [gssd] section of /etc/nfs.conf )
there was a configuration parameter "use-gss-proxy"

why was this parameter removed from the current man page, can it be re-added ?
( apparently the parameter is still functional ... if that's the case , it should not simply be removed
  from the documentation with no commentary )

Thanks

Andy Romero
Fermilab / ITD

Re: GSSPROXY ( for NFS with sec=krb5, krb5i , krb5p ) is development still active or is it being depreciated

[Benjamin Coddington]

On 13 Mar 2025, at 7:30, Andrew J. Romero wrote:

> Hi
>
> Alexander Bokovoy provided excellent answers to most of my questions on
> this topic See: Thread: gssproxy  security, configuration and life-cycle
> questions on gss-proxy@lists.fedorahosted.org
>
> Remaining question:
>
> Prior to RHEL-9 , in the section of the gssd man page ( under the heading
> CONFIGURATION FILE ...  ....options  that  can be set on the command line
> can also be controlled through .... values set in the [gssd] section of
> /etc/nfs.conf ) there was a configuration parameter "use-gss-proxy"

I don't see any git history of gssd.man with use-gss-proxy, but the value
does appear in nfs.conf.man.  It has not been removed there.  It probably
should be added to gssd.man.

> why was this parameter removed from the current man page, can it be
> re-added ?  ( apparently the parameter is still functional ... if that's
> the case , it should not simply be removed from the documentation with no
> commentary )

I'm not sure thats what happened.  It looks like it wasn't ever in gssd.man
to me.  Maybe Steve D can clarify?

Ben

Re: GSSPROXY ( for NFS with sec=krb5, krb5i , krb5p ) is development still active or is it being depreciated

[Scott Mayhew]

On Fri, 14 Mar 2025, Benjamin Coddington wrote:

> On 13 Mar 2025, at 7:30, Andrew J. Romero wrote:
> 
> > Hi
> >
> > Alexander Bokovoy provided excellent answers to most of my questions on
> > this topic See: Thread: gssproxy  security, configuration and life-cycle
> > questions on gss-proxy@lists.fedorahosted.org
> >
> > Remaining question:
> >
> > Prior to RHEL-9 , in the section of the gssd man page ( under the heading
> > CONFIGURATION FILE ...  ....options  that  can be set on the command line
> > can also be controlled through .... values set in the [gssd] section of
> > /etc/nfs.conf ) there was a configuration parameter "use-gss-proxy"
> 
> I don't see any git history of gssd.man with use-gss-proxy, but the value
> does appear in nfs.conf.man.  It has not been removed there.  It probably
> should be added to gssd.man.

I also looked at the repos we use to build the RHEL packages, and I
don't see any evidence that we ever shipped a RHEL-only patch that would
have documented use-gss-proxy in gssd.man.

Andrew - can you provide a specific RHEL package version where you saw this
documented in gssd.man (on the off change I missed something)?

Either way, I agree this should be documented.

-Scott
> 
> > why was this parameter removed from the current man page, can it be
> > re-added ?  ( apparently the parameter is still functional ... if that's
> > the case , it should not simply be removed from the documentation with no
> > commentary )
> 
> I'm not sure thats what happened.  It looks like it wasn't ever in gssd.man
> to me.  Maybe Steve D can clarify?
> 
> Ben
> 
> 

RE: GSSPROXY ( for NFS with sec=krb5, krb5i , krb5p ) is development still active or is it being depreciated

[Andrew J. Romero]

> From: Scott Mayhew <smayhew@redhat.com>
> 
> Andrew - can you provide a specific RHEL package version where you saw this
> documented in gssd.man (on the off change I missed something)?
> 

Hi Scott

It was a while ago when we wrote our internal procedures.
I thought I learned of the setting use-gss-proxy=yes  from
The man page; however, I may have learned this from another source
( gssproxy docs on github ? ) my memory is blurry ...

> Either way, I agree this should be documented.

We both agree on this 

Thanks !

Andy Romero

[nfs-utils PATCH] gssd.man: add documentation for use-gss-proxy nfs.conf option

[Scott Mayhew]

Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
 utils/gssd/gssd.man | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man
index c735eff6..d9a264e8 100644
--- a/utils/gssd/gssd.man
+++ b/utils/gssd/gssd.man
@@ -392,6 +392,17 @@ Setting to
 is equivalent to providing the
 .B -H
 flag.
+.TP
+.B use-gss-proxy
+Setting this to 1 allows
+.BR gssproxy (8)
+to intercept GSSAPI calls and service them on behalf of
+.BR rpc.gssd ,
+enabling certain features such as keytab-based client initiation.
+Note that this has nothing to do with the functionality that
+.BR gssproxy (8)
+provides on behalf of the NFS server.  For more information, see
+.BR https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md#nfs-client .
 .P
 In addtion, the following value is recognized from the
 .B [general]
@@ -405,7 +416,8 @@ Equivalent to
 .BR rpc.svcgssd (8),
 .BR kerberos (1),
 .BR kinit (1),
-.BR krb5.conf (5)
+.BR krb5.conf (5),
+.BR gssproxy (8)
 .SH AUTHORS
 .br
 Dug Song <dugsong@umich.edu>
-- 
2.48.1

Re: GSSPROXY ( for NFS with sec=krb5, krb5i , krb5p ) is development still active or is it being depreciated

[Steve Dickson]

On 3/14/25 8:18 AM, Benjamin Coddington wrote:
> On 13 Mar 2025, at 7:30, Andrew J. Romero wrote:
> 
>> Hi
>>
>> Alexander Bokovoy provided excellent answers to most of my questions on
>> this topic See: Thread: gssproxy  security, configuration and life-cycle
>> questions on gss-proxy@lists.fedorahosted.org
>>
>> Remaining question:
>>
>> Prior to RHEL-9 , in the section of the gssd man page ( under the heading
>> CONFIGURATION FILE ...  ....options  that  can be set on the command line
>> can also be controlled through .... values set in the [gssd] section of
>> /etc/nfs.conf ) there was a configuration parameter "use-gss-proxy"
> 
> I don't see any git history of gssd.man with use-gss-proxy, but the value
> does appear in nfs.conf.man.  It has not been removed there.  It probably
> should be added to gssd.man.
+1

> 
>> why was this parameter removed from the current man page, can it be
>> re-added ?  ( apparently the parameter is still functional ... if that's
>> the case , it should not simply be removed from the documentation with no
>> commentary )
> 
> I'm not sure thats what happened.  It looks like it wasn't ever in gssd.man
> to me.  Maybe Steve D can clarify?

My question is does the use-gss-proxy param need to be on
by default... I agree that parameter needs to be documented in the
gssd.man man page... which smayhew as sent a patch.

Does use-gss-proxy=yes add more complexity that is needed?

Personally I would like to turn it off.

steved.

Re: GSSPROXY ( for NFS with sec=krb5, krb5i , krb5p ) is development still active or is it being depreciated

[Chuck Lever]

On 3/15/25 11:17 AM, Steve Dickson wrote:
> 
> 
> On 3/14/25 8:18 AM, Benjamin Coddington wrote:
>> On 13 Mar 2025, at 7:30, Andrew J. Romero wrote:
>>
>>> Hi
>>>
>>> Alexander Bokovoy provided excellent answers to most of my questions on
>>> this topic See: Thread: gssproxy  security, configuration and life-cycle
>>> questions on gss-proxy@lists.fedorahosted.org
>>>
>>> Remaining question:
>>>
>>> Prior to RHEL-9 , in the section of the gssd man page ( under the
>>> heading
>>> CONFIGURATION FILE ...  ....options  that  can be set on the command
>>> line
>>> can also be controlled through .... values set in the [gssd] section of
>>> /etc/nfs.conf ) there was a configuration parameter "use-gss-proxy"
>>
>> I don't see any git history of gssd.man with use-gss-proxy, but the value
>> does appear in nfs.conf.man.  It has not been removed there.  It probably
>> should be added to gssd.man.
> +1
> 
>>
>>> why was this parameter removed from the current man page, can it be
>>> re-added ?  ( apparently the parameter is still functional ... if that's
>>> the case , it should not simply be removed from the documentation
>>> with no
>>> commentary )
>>
>> I'm not sure thats what happened.  It looks like it wasn't ever in
>> gssd.man
>> to me.  Maybe Steve D can clarify?
> 
> My question is does the use-gss-proxy param need to be on
> by default... I agree that parameter needs to be documented in the
> gssd.man man page... which smayhew as sent a patch.
> 
> Does use-gss-proxy=yes add more complexity that is needed?
> 
> Personally I would like to turn it off.

AIUI it is always off on clients, but some NFSD configs utilize
gssproxy. Not sure how you would code that in /etc/nfs.conf ...?


-- 
Chuck Lever

[nfs-utils PATCH v2] gssd.man: add documentation for use-gss-proxy nfs.conf option

[Scott Mayhew]

Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---

v2 - slight phrasing change.

 utils/gssd/gssd.man | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man
index c735eff6..4a75b056 100644
--- a/utils/gssd/gssd.man
+++ b/utils/gssd/gssd.man
@@ -392,6 +392,17 @@ Setting to
 is equivalent to providing the
 .B -H
 flag.
+.TP
+.B use-gss-proxy
+Setting this to 1 allows
+.BR gssproxy (8)
+to intercept GSSAPI calls and service them on behalf of
+.BR rpc.gssd ,
+enabling certain features such as keytab-based client initiation.
+Note that this is unrelated to the functionality that
+.BR gssproxy (8)
+provides on behalf of the NFS server.  For more information, see
+.BR https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md#nfs-client .
 .P
 In addtion, the following value is recognized from the
 .B [general]
@@ -405,7 +416,8 @@ Equivalent to
 .BR rpc.svcgssd (8),
 .BR kerberos (1),
 .BR kinit (1),
-.BR krb5.conf (5)
+.BR krb5.conf (5),
+.BR gssproxy (8)
 .SH AUTHORS
 .br
 Dug Song <dugsong@umich.edu>
-- 
2.48.1

Re: [nfs-utils PATCH v2] gssd.man: add documentation for use-gss-proxy nfs.conf option

[Steve Dickson]

On 3/17/25 9:22 AM, Scott Mayhew wrote:
> Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Committed... (tag: nfs-utils-2-8-3-rc8)

steved.
> ---
> 
> v2 - slight phrasing change.
> 
>   utils/gssd/gssd.man | 14 +++++++++++++-
>   1 file changed, 13 insertions(+), 1 deletion(-)
> 
> diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man
> index c735eff6..4a75b056 100644
> --- a/utils/gssd/gssd.man
> +++ b/utils/gssd/gssd.man
> @@ -392,6 +392,17 @@ Setting to
>   is equivalent to providing the
>   .B -H
>   flag.
> +.TP
> +.B use-gss-proxy
> +Setting this to 1 allows
> +.BR gssproxy (8)
> +to intercept GSSAPI calls and service them on behalf of
> +.BR rpc.gssd ,
> +enabling certain features such as keytab-based client initiation.
> +Note that this is unrelated to the functionality that
> +.BR gssproxy (8)
> +provides on behalf of the NFS server.  For more information, see
> +.BR https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md#nfs-client .
>   .P
>   In addtion, the following value is recognized from the
>   .B [general]
> @@ -405,7 +416,8 @@ Equivalent to
>   .BR rpc.svcgssd (8),
>   .BR kerberos (1),
>   .BR kinit (1),
> -.BR krb5.conf (5)
> +.BR krb5.conf (5),
> +.BR gssproxy (8)
>   .SH AUTHORS
>   .br
>   Dug Song <dugsong@umich.edu>

Re: GSSPROXY ( for NFS with sec=krb5, krb5i , krb5p ) is development still active or is it being depreciated

[Charles Hedrick]

> From: Andrew J. Romero <romero@fnal.gov>

> I noticed that in newer versions of Linux
> ( for example: Red Hat Enterprise v9 ), the
> parameter  use-gss-proxy
> (in [gssd] section of /etc/nfs.conf file )
>no longer exists.  Why not ?

> I have also read that some security specialists
> ( noted in stigviewer.com ) theorize that gssproxy
> increases security risk.

> gssproxy facilitates the reliable use of Kerberos secured
> NFS storage by non-interactive processes.

Note that there are two different uses for gssproxy, on client and server side of NFS. On the server side there's no current alternative. The older rpc.svcgssd has a limit to the ticket size that makes it not work reliably with the newest versions of Kerberos (versions using PACs).

We are currently using one of the kludges you refer to. I was planning to moving to gssproxy with constrained delegation, since that is a standard feature and thus likely to be easier for other staff to support. If there's serious plans to decommission gssproxy, I'd like to know, so I can arrange to make my kludge more supportable. Supporting cron jobs is essential.

RE: GSSPROXY ( for NFS with sec=krb5, krb5i , krb5p ) is development still active or is it being depreciated

[Andrew Romero]

Hi

I’m still using gssproxy on the client side ( so that non interactive processes can access “kerberized” NFS volumes )

Note: I believe that the security issue was not a real issue, just the general recommendation not to run services unless you are actually using them 

Also,  I believe that the use-gss-proxy parameter is still valid.
The issue was just a man page issue … which I believe was resolved 


Andy


> From: linux-nfs+owner@vger.kernel.org <linux-nfs+owner@vger.kernel.org>
> 
> Your message to <linux-nfs@vger.kernel.org> was not delivered to the list
> because it contained a HTML part. Only text/plain messages are allowed on
> this list.
> 



> -----Original Message-----
> From: Charles Hedrick <hedrick@rutgers.edu>
> Sent: Thursday, September 4, 2025 12:53 PM
> To: Andrew Romero <romero@fnal.gov>; linux-nfs@vger.kernel.org
> Subject: Re: GSSPROXY ( for NFS with sec=krb5, krb5i , krb5p ) is development
> still active or is it being depreciated
> 
> [EXTERNAL] – This message is from an external sender
> 
> > From: Andrew J. Romero <romero@fnal.gov>
> 
> > I noticed that in newer versions of Linux
> > ( for example: Red Hat Enterprise v9 ), the
> > parameter  use-gss-proxy
> > (in [gssd] section of /etc/nfs.conf file )
> >no longer exists.  Why not ?
> 
> > I have also read that some security specialists
> > ( noted in stigviewer.com ) theorize that gssproxy
> > increases security risk.
> 
> > gssproxy facilitates the reliable use of Kerberos secured
> > NFS storage by non-interactive processes.
> 
> Note that there are two different uses for gssproxy, on client and server side of
> NFS. On the server side there's no current alternative. The older rpc.svcgssd has
> a limit to the ticket size that makes it not work reliably with the newest versions
> of Kerberos (versions using PACs).
> 
> We are currently using one of the kludges you refer to. I was planning to moving
> to gssproxy with constrained delegation, since that is a standard feature and
> thus likely to be easier for other staff to support. If there's serious plans to
> decommission gssproxy, I'd like to know, so I can arrange to make my kludge
> more supportable. Supporting cron jobs is essential.