1250baf06SDaniel W. S. Almeida========================================= 2250baf06SDaniel W. S. Almeidarpcsec_gss support for kernel RPC servers 3250baf06SDaniel W. S. Almeida========================================= 4250baf06SDaniel W. S. Almeida 5250baf06SDaniel W. S. AlmeidaThis document gives references to the standards and protocols used to 6250baf06SDaniel W. S. Almeidaimplement RPCGSS authentication in kernel RPC servers such as the NFS 7250baf06SDaniel W. S. Almeidaserver and the NFS client's NFSv4.0 callback server. (But note that 8250baf06SDaniel W. S. AlmeidaNFSv4.1 and higher don't require the client to act as a server for the 9250baf06SDaniel W. S. Almeidapurposes of authentication.) 10250baf06SDaniel W. S. Almeida 11250baf06SDaniel W. S. AlmeidaRPCGSS is specified in a few IETF documents: 12250baf06SDaniel W. S. Almeida 13*c69f22f2SAlexander A. Klimov - RFC2203 v1: https://tools.ietf.org/rfc/rfc2203.txt 14*c69f22f2SAlexander A. Klimov - RFC5403 v2: https://tools.ietf.org/rfc/rfc5403.txt 15250baf06SDaniel W. S. Almeida 16250baf06SDaniel W. S. Almeidaand there is a 3rd version being proposed: 17250baf06SDaniel W. S. Almeida 18*c69f22f2SAlexander A. Klimov - https://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt 19250baf06SDaniel W. S. Almeida (At draft n. 02 at the time of writing) 20250baf06SDaniel W. S. Almeida 21250baf06SDaniel W. S. AlmeidaBackground 22250baf06SDaniel W. S. Almeida========== 23250baf06SDaniel W. S. Almeida 24250baf06SDaniel W. S. AlmeidaThe RPCGSS Authentication method describes a way to perform GSSAPI 25250baf06SDaniel W. S. AlmeidaAuthentication for NFS. Although GSSAPI is itself completely mechanism 26250baf06SDaniel W. S. Almeidaagnostic, in many cases only the KRB5 mechanism is supported by NFS 27250baf06SDaniel W. S. Almeidaimplementations. 28250baf06SDaniel W. S. Almeida 29250baf06SDaniel W. S. AlmeidaThe Linux kernel, at the moment, supports only the KRB5 mechanism, and 30250baf06SDaniel W. S. Almeidadepends on GSSAPI extensions that are KRB5 specific. 31250baf06SDaniel W. S. Almeida 32250baf06SDaniel W. S. AlmeidaGSSAPI is a complex library, and implementing it completely in kernel is 33250baf06SDaniel W. S. Almeidaunwarranted. However GSSAPI operations are fundementally separable in 2 34250baf06SDaniel W. S. Almeidaparts: 35250baf06SDaniel W. S. Almeida 36250baf06SDaniel W. S. Almeida- initial context establishment 37250baf06SDaniel W. S. Almeida- integrity/privacy protection (signing and encrypting of individual 38250baf06SDaniel W. S. Almeida packets) 39250baf06SDaniel W. S. Almeida 40250baf06SDaniel W. S. AlmeidaThe former is more complex and policy-independent, but less 41250baf06SDaniel W. S. Almeidaperformance-sensitive. The latter is simpler and needs to be very fast. 42250baf06SDaniel W. S. Almeida 43250baf06SDaniel W. S. AlmeidaTherefore, we perform per-packet integrity and privacy protection in the 44250baf06SDaniel W. S. Almeidakernel, but leave the initial context establishment to userspace. We 45250baf06SDaniel W. S. Almeidaneed upcalls to request userspace to perform context establishment. 46250baf06SDaniel W. S. Almeida 47250baf06SDaniel W. S. AlmeidaNFS Server Legacy Upcall Mechanism 48250baf06SDaniel W. S. Almeida================================== 49250baf06SDaniel W. S. Almeida 50250baf06SDaniel W. S. AlmeidaThe classic upcall mechanism uses a custom text based upcall mechanism 51250baf06SDaniel W. S. Almeidato talk to a custom daemon called rpc.svcgssd that is provide by the 52250baf06SDaniel W. S. Almeidanfs-utils package. 53250baf06SDaniel W. S. Almeida 54250baf06SDaniel W. S. AlmeidaThis upcall mechanism has 2 limitations: 55250baf06SDaniel W. S. Almeida 56250baf06SDaniel W. S. AlmeidaA) It can handle tokens that are no bigger than 2KiB 57250baf06SDaniel W. S. Almeida 58250baf06SDaniel W. S. AlmeidaIn some Kerberos deployment GSSAPI tokens can be quite big, up and 59250baf06SDaniel W. S. Almeidabeyond 64KiB in size due to various authorization extensions attacked to 60250baf06SDaniel W. S. Almeidathe Kerberos tickets, that needs to be sent through the GSS layer in 61250baf06SDaniel W. S. Almeidaorder to perform context establishment. 62250baf06SDaniel W. S. Almeida 63250baf06SDaniel W. S. AlmeidaB) It does not properly handle creds where the user is member of more 64250baf06SDaniel W. S. Almeidathan a few thousand groups (the current hard limit in the kernel is 65K 65250baf06SDaniel W. S. Almeidagroups) due to limitation on the size of the buffer that can be send 66250baf06SDaniel W. S. Almeidaback to the kernel (4KiB). 67250baf06SDaniel W. S. Almeida 68250baf06SDaniel W. S. AlmeidaNFS Server New RPC Upcall Mechanism 69250baf06SDaniel W. S. Almeida=================================== 70250baf06SDaniel W. S. Almeida 71250baf06SDaniel W. S. AlmeidaThe newer upcall mechanism uses RPC over a unix socket to a daemon 72250baf06SDaniel W. S. Almeidacalled gss-proxy, implemented by a userspace program called Gssproxy. 73250baf06SDaniel W. S. Almeida 74250baf06SDaniel W. S. AlmeidaThe gss_proxy RPC protocol is currently documented `here 75250baf06SDaniel W. S. Almeida<https://fedorahosted.org/gss-proxy/wiki/ProtocolDocumentation>`_. 76250baf06SDaniel W. S. Almeida 77250baf06SDaniel W. S. AlmeidaThis upcall mechanism uses the kernel rpc client and connects to the gssproxy 78250baf06SDaniel W. S. Almeidauserspace program over a regular unix socket. The gssproxy protocol does not 79250baf06SDaniel W. S. Almeidasuffer from the size limitations of the legacy protocol. 80250baf06SDaniel W. S. Almeida 81250baf06SDaniel W. S. AlmeidaNegotiating Upcall Mechanisms 82250baf06SDaniel W. S. Almeida============================= 83250baf06SDaniel W. S. Almeida 84250baf06SDaniel W. S. AlmeidaTo provide backward compatibility, the kernel defaults to using the 85250baf06SDaniel W. S. Almeidalegacy mechanism. To switch to the new mechanism, gss-proxy must bind 86250baf06SDaniel W. S. Almeidato /var/run/gssproxy.sock and then write "1" to 87250baf06SDaniel W. S. Almeida/proc/net/rpc/use-gss-proxy. If gss-proxy dies, it must repeat both 88250baf06SDaniel W. S. Almeidasteps. 89250baf06SDaniel W. S. Almeida 90250baf06SDaniel W. S. AlmeidaOnce the upcall mechanism is chosen, it cannot be changed. To prevent 91250baf06SDaniel W. S. Almeidalocking into the legacy mechanisms, the above steps must be performed 92250baf06SDaniel W. S. Almeidabefore starting nfsd. Whoever starts nfsd can guarantee this by reading 93250baf06SDaniel W. S. Almeidafrom /proc/net/rpc/use-gss-proxy and checking that it contains a 94250baf06SDaniel W. S. Almeida"1"--the read will block until gss-proxy has done its write to the file. 95