Re: NFSv4 backchannel authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2012-08-07 at 11:41 -0400, J. Bruce Fields wrote:
> On Mon, Aug 06, 2012 at 03:55:17PM +0200, Lukas Hejtmanek wrote:
> > it seems that RHEL NFSv4 servers use GSS authentication for backchannels as
> > well (if mount it with GSS). That would be OK, but it requires that server is
> > running rpc.gssd and the client is running rpc.svcgssd, which is not usual.
> 
> The init scripts probably need to be fixed to start both in both cases.
> Worth filing a bug, I think.
> 
> > Is there a way how to mount clients with sec=krb5/i/p and use backchannels just
> > with UNIX auth?
> 
> Not with NFSv4; from http://www.ietf.org/rfc/rfc3530.txt section 3.4:
> 
> 	"Except as noted elsewhere in this section, the callback RPC
> 	(described later) MUST mutually authenticate the NFS server to
> 	the principal that acquired the clientid (also described later),
> 	using the security flavor the original SETCLIENTID operation
> 	used."
> 
> (Actually, perhaps there's a loophole that would allow SETCLIENTID to be
> done with auth_sys while file access is still done with gss.  I don't
> think so, but I forget the details.  In practice the clients do all use
> gss.)

Yes, you can do this, however that requires the server to be configured
to accept rpcsec_gss and auth_sys from that client.
It also allows anyone to spoof a callback to your client.
Furthermore, it would allow anybody to send SETCLIENTID calls using the
same client id to the server and so they can declare your client to have
rebooted (so that all state is lost), they can divert callbacks to
another machine, ....
IOW: it is not really something you want to allow on an untrusted
network.

> 4.1 does allow the client to request a different security flavor on the
> backchannel, and the linux client does use auth_sys on the backchannel
> even when using gss on the forechannel.

Yes, and that leaves a less room for spoofing because the back channel
connection is set up by the client.

-- 
Trond Myklebust
Linux NFS client maintainer

NetApp
Trond.Myklebust@xxxxxxxxxx
www.netapp.com

��.n��������+%������w��{.n�����{��w���jg��������ݢj����G�������j:+v���w�m������w�������h�����٥
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux