1 =========================================
2 rpcsec_gss support for kernel RPC servers
3 =========================================
4
5 This document gives references to the standard
6 implement RPCGSS authentication in kernel RPC
7 server and the NFS client's NFSv4.0 callback s
8 NFSv4.1 and higher don't require the client to
9 purposes of authentication.)
10
11 RPCGSS is specified in a few IETF documents:
12
13 - RFC2203 v1: https://tools.ietf.org/rfc/rfc2
14 - RFC5403 v2: https://tools.ietf.org/rfc/rfc5
15
16 There is a third version that we don't current
17
18 - RFC7861 v3: https://tools.ietf.org/rfc/rfc7
19
20 Background
21 ==========
22
23 The RPCGSS Authentication method describes a w
24 Authentication for NFS. Although GSSAPI is it
25 agnostic, in many cases only the KRB5 mechanis
26 implementations.
27
28 The Linux kernel, at the moment, supports only
29 depends on GSSAPI extensions that are KRB5 spe
30
31 GSSAPI is a complex library, and implementing
32 unwarranted. However GSSAPI operations are fun
33 parts:
34
35 - initial context establishment
36 - integrity/privacy protection (signing and en
37 packets)
38
39 The former is more complex and policy-independ
40 performance-sensitive. The latter is simpler
41
42 Therefore, we perform per-packet integrity and
43 kernel, but leave the initial context establis
44 need upcalls to request userspace to perform c
45
46 NFS Server Legacy Upcall Mechanism
47 ==================================
48
49 The classic upcall mechanism uses a custom tex
50 to talk to a custom daemon called rpc.svcgssd
51 nfs-utils package.
52
53 This upcall mechanism has 2 limitations:
54
55 A) It can handle tokens that are no bigger tha
56
57 In some Kerberos deployment GSSAPI tokens can
58 beyond 64KiB in size due to various authorizat
59 the Kerberos tickets, that needs to be sent th
60 order to perform context establishment.
61
62 B) It does not properly handle creds where the
63 than a few thousand groups (the current hard l
64 groups) due to limitation on the size of the b
65 back to the kernel (4KiB).
66
67 NFS Server New RPC Upcall Mechanism
68 ===================================
69
70 The newer upcall mechanism uses RPC over a uni
71 called gss-proxy, implemented by a userspace p
72
73 The gss_proxy RPC protocol is currently docume
74 <https://fedorahosted.org/gss-proxy/wiki/Proto
75
76 This upcall mechanism uses the kernel rpc clie
77 userspace program over a regular unix socket.
78 suffer from the size limitations of the legacy
79
80 Negotiating Upcall Mechanisms
81 =============================
82
83 To provide backward compatibility, the kernel
84 legacy mechanism. To switch to the new mechan
85 to /var/run/gssproxy.sock and then write "1" t
86 /proc/net/rpc/use-gss-proxy. If gss-proxy die
87 steps.
88
89 Once the upcall mechanism is chosen, it cannot
90 locking into the legacy mechanisms, the above
91 before starting nfsd. Whoever starts nfsd can
92 from /proc/net/rpc/use-gss-proxy and checking
93 "1"--the read will block until gss-proxy has d
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.