~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/filesystems/nfs/rpc-server-gss.rst

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/filesystems/nfs/rpc-server-gss.rst (Version linux-6.11.5) and /Documentation/filesystems/nfs/rpc-server-gss.rst (Version linux-4.19.322)


  1 =========================================         
  2 rpcsec_gss support for kernel RPC servers         
  3 =========================================         
  4                                                   
  5 This document gives references to the standard    
  6 implement RPCGSS authentication in kernel RPC     
  7 server and the NFS client's NFSv4.0 callback s    
  8 NFSv4.1 and higher don't require the client to    
  9 purposes of authentication.)                      
 10                                                   
 11 RPCGSS is specified in a few IETF documents:      
 12                                                   
 13  - RFC2203 v1: https://tools.ietf.org/rfc/rfc2    
 14  - RFC5403 v2: https://tools.ietf.org/rfc/rfc5    
 15                                                   
 16 There is a third version that we don't current    
 17                                                   
 18  - RFC7861 v3: https://tools.ietf.org/rfc/rfc7    
 19                                                   
 20 Background                                        
 21 ==========                                        
 22                                                   
 23 The RPCGSS Authentication method describes a w    
 24 Authentication for NFS.  Although GSSAPI is it    
 25 agnostic, in many cases only the KRB5 mechanis    
 26 implementations.                                  
 27                                                   
 28 The Linux kernel, at the moment, supports only    
 29 depends on GSSAPI extensions that are KRB5 spe    
 30                                                   
 31 GSSAPI is a complex library, and implementing     
 32 unwarranted. However GSSAPI operations are fun    
 33 parts:                                            
 34                                                   
 35 - initial context establishment                   
 36 - integrity/privacy protection (signing and en    
 37   packets)                                        
 38                                                   
 39 The former is more complex and policy-independ    
 40 performance-sensitive.  The latter is simpler     
 41                                                   
 42 Therefore, we perform per-packet integrity and    
 43 kernel, but leave the initial context establis    
 44 need upcalls to request userspace to perform c    
 45                                                   
 46 NFS Server Legacy Upcall Mechanism                
 47 ==================================                
 48                                                   
 49 The classic upcall mechanism uses a custom tex    
 50 to talk to a custom daemon called rpc.svcgssd     
 51 nfs-utils package.                                
 52                                                   
 53 This upcall mechanism has 2 limitations:          
 54                                                   
 55 A) It can handle tokens that are no bigger tha    
 56                                                   
 57 In some Kerberos deployment GSSAPI tokens can     
 58 beyond 64KiB in size due to various authorizat    
 59 the Kerberos tickets, that needs to be sent th    
 60 order to perform context establishment.           
 61                                                   
 62 B) It does not properly handle creds where the    
 63 than a few thousand groups (the current hard l    
 64 groups) due to limitation on the size of the b    
 65 back to the kernel (4KiB).                        
 66                                                   
 67 NFS Server New RPC Upcall Mechanism               
 68 ===================================               
 69                                                   
 70 The newer upcall mechanism uses RPC over a uni    
 71 called gss-proxy, implemented by a userspace p    
 72                                                   
 73 The gss_proxy RPC protocol is currently docume    
 74 <https://fedorahosted.org/gss-proxy/wiki/Proto    
 75                                                   
 76 This upcall mechanism uses the kernel rpc clie    
 77 userspace program over a regular unix socket.     
 78 suffer from the size limitations of the legacy    
 79                                                   
 80 Negotiating Upcall Mechanisms                     
 81 =============================                     
 82                                                   
 83 To provide backward compatibility, the kernel     
 84 legacy mechanism.  To switch to the new mechan    
 85 to /var/run/gssproxy.sock and then write "1" t    
 86 /proc/net/rpc/use-gss-proxy.  If gss-proxy die    
 87 steps.                                            
 88                                                   
 89 Once the upcall mechanism is chosen, it cannot    
 90 locking into the legacy mechanisms, the above     
 91 before starting nfsd.  Whoever starts nfsd can    
 92 from /proc/net/rpc/use-gss-proxy and checking     
 93 "1"--the read will block until gss-proxy has d    
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php