rpc-server-gss.txt 3.6 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192
  1. rpcsec_gss support for kernel RPC servers
  2. =========================================
  3. This document gives references to the standards and protocols used to
  4. implement RPCGSS authentication in kernel RPC servers such as the NFS
  5. server and the NFS client's NFSv4.0 callback server. (But note that
  6. NFSv4.1 and higher don't require the client to act as a server for the
  7. purposes of authentication.)
  8. RPCGSS is specified in a few IETF documents:
  9. - RFC2203 v1: http://tools.ietf.org/rfc/rfc2203.txt
  10. - RFC5403 v2: http://tools.ietf.org/rfc/rfc5403.txt
  11. and there is a 3rd version being proposed:
  12. - http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt
  13. (At draft n. 02 at the time of writing)
  14. Background
  15. ----------
  16. The RPCGSS Authentication method describes a way to perform GSSAPI
  17. Authentication for NFS. Although GSSAPI is itself completely mechanism
  18. agnostic, in many cases only the KRB5 mechanism is supported by NFS
  19. implementations.
  20. The Linux kernel, at the moment, supports only the KRB5 mechanism, and
  21. depends on GSSAPI extensions that are KRB5 specific.
  22. GSSAPI is a complex library, and implementing it completely in kernel is
  23. unwarranted. However GSSAPI operations are fundementally separable in 2
  24. parts:
  25. - initial context establishment
  26. - integrity/privacy protection (signing and encrypting of individual
  27. packets)
  28. The former is more complex and policy-independent, but less
  29. performance-sensitive. The latter is simpler and needs to be very fast.
  30. Therefore, we perform per-packet integrity and privacy protection in the
  31. kernel, but leave the initial context establishment to userspace. We
  32. need upcalls to request userspace to perform context establishment.
  33. NFS Server Legacy Upcall Mechanism
  34. ----------------------------------
  35. The classic upcall mechanism uses a custom text based upcall mechanism
  36. to talk to a custom daemon called rpc.svcgssd that is provide by the
  37. nfs-utils package.
  38. This upcall mechanism has 2 limitations:
  39. A) It can handle tokens that are no bigger than 2KiB
  40. In some Kerberos deployment GSSAPI tokens can be quite big, up and
  41. beyond 64KiB in size due to various authorization extensions attacked to
  42. the Kerberos tickets, that needs to be sent through the GSS layer in
  43. order to perform context establishment.
  44. B) It does not properly handle creds where the user is member of more
  45. than a few thousand groups (the current hard limit in the kernel is 65K
  46. groups) due to limitation on the size of the buffer that can be send
  47. back to the kernel (4KiB).
  48. NFS Server New RPC Upcall Mechanism
  49. -----------------------------------
  50. The newer upcall mechanism uses RPC over a unix socket to a daemon
  51. called gss-proxy, implemented by a userspace program called Gssproxy.
  52. The gss_proxy RPC protocol is currently documented here:
  53. https://fedorahosted.org/gss-proxy/wiki/ProtocolDocumentation
  54. This upcall mechanism uses the kernel rpc client and connects to the gssproxy
  55. userspace program over a regular unix socket. The gssproxy protocol does not
  56. suffer from the size limitations of the legacy protocol.
  57. Negotiating Upcall Mechanisms
  58. -----------------------------
  59. To provide backward compatibility, the kernel defaults to using the
  60. legacy mechanism. To switch to the new mechanism, gss-proxy must bind
  61. to /var/run/gssproxy.sock and then write "1" to
  62. /proc/net/rpc/use-gss-proxy. If gss-proxy dies, it must repeat both
  63. steps.
  64. Once the upcall mechanism is chosen, it cannot be changed. To prevent
  65. locking into the legacy mechanisms, the above steps must be performed
  66. before starting nfsd. Whoever starts nfsd can guarantee this by reading
  67. from /proc/net/rpc/use-gss-proxy and checking that it contains a
  68. "1"--the read will block until gss-proxy has done its write to the file.