2008-03-26 15:23:12 +00:00
|
|
|
/* $NetBSD: auth.h,v 1.15 2000/06/02 22:57:55 fvdl Exp $ */
|
|
|
|
|
2013-11-25 19:04:36 +00:00
|
|
|
/*-
|
2017-11-20 19:43:44 +00:00
|
|
|
* SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
*
|
2013-11-25 19:04:36 +00:00
|
|
|
* Copyright (c) 2009, Sun Microsystems, Inc.
|
|
|
|
* All rights reserved.
|
2008-03-26 15:23:12 +00:00
|
|
|
*
|
2013-11-25 19:04:36 +00:00
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions are met:
|
|
|
|
* - Redistributions of source code must retain the above copyright notice,
|
|
|
|
* this list of conditions and the following disclaimer.
|
|
|
|
* - Redistributions in binary form must reproduce the above copyright notice,
|
|
|
|
* this list of conditions and the following disclaimer in the documentation
|
|
|
|
* and/or other materials provided with the distribution.
|
|
|
|
* - Neither the name of Sun Microsystems, Inc. nor the names of its
|
|
|
|
* contributors may be used to endorse or promote products derived
|
|
|
|
* from this software without specific prior written permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
|
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
|
|
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
2008-03-26 15:23:12 +00:00
|
|
|
*
|
|
|
|
* from: @(#)auth.h 1.17 88/02/08 SMI
|
|
|
|
* from: @(#)auth.h 2.3 88/08/07 4.0 RPCSRC
|
|
|
|
* from: @(#)auth.h 1.43 98/02/02 SMI
|
|
|
|
* $FreeBSD$
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* auth.h, Authentication interface.
|
|
|
|
*
|
|
|
|
* Copyright (C) 1984, Sun Microsystems, Inc.
|
|
|
|
*
|
|
|
|
* The data structures are completely opaque to the client. The client
|
|
|
|
* is required to pass an AUTH * to routines that create rpc
|
|
|
|
* "sessions".
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _RPC_AUTH_H
|
|
|
|
#define _RPC_AUTH_H
|
|
|
|
#include <rpc/xdr.h>
|
|
|
|
#include <rpc/clnt_stat.h>
|
|
|
|
#include <sys/cdefs.h>
|
|
|
|
#include <sys/socket.h>
|
|
|
|
|
|
|
|
#define MAX_AUTH_BYTES 400
|
|
|
|
#define MAXNETNAMELEN 255 /* maximum length of network user's name */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Client side authentication/security data
|
|
|
|
*/
|
|
|
|
|
|
|
|
typedef struct sec_data {
|
|
|
|
u_int secmod; /* security mode number e.g. in nfssec.conf */
|
|
|
|
u_int rpcflavor; /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */
|
|
|
|
int flags; /* AUTH_F_xxx flags */
|
|
|
|
caddr_t data; /* opaque data per flavor */
|
|
|
|
} sec_data_t;
|
|
|
|
|
|
|
|
#ifdef _SYSCALL32_IMPL
|
|
|
|
struct sec_data32 {
|
|
|
|
uint32_t secmod; /* security mode number e.g. in nfssec.conf */
|
|
|
|
uint32_t rpcflavor; /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */
|
|
|
|
int32_t flags; /* AUTH_F_xxx flags */
|
|
|
|
caddr32_t data; /* opaque data per flavor */
|
|
|
|
};
|
|
|
|
#endif /* _SYSCALL32_IMPL */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* AUTH_DES flavor specific data from sec_data opaque data field.
|
|
|
|
* AUTH_KERB has the same structure.
|
|
|
|
*/
|
|
|
|
typedef struct des_clnt_data {
|
|
|
|
struct netbuf syncaddr; /* time sync addr */
|
|
|
|
struct knetconfig *knconf; /* knetconfig info that associated */
|
|
|
|
/* with the syncaddr. */
|
|
|
|
char *netname; /* server's netname */
|
|
|
|
int netnamelen; /* server's netname len */
|
|
|
|
} dh_k4_clntdata_t;
|
|
|
|
|
|
|
|
#ifdef _SYSCALL32_IMPL
|
|
|
|
struct des_clnt_data32 {
|
|
|
|
struct netbuf32 syncaddr; /* time sync addr */
|
|
|
|
caddr32_t knconf; /* knetconfig info that associated */
|
|
|
|
/* with the syncaddr. */
|
|
|
|
caddr32_t netname; /* server's netname */
|
|
|
|
int32_t netnamelen; /* server's netname len */
|
|
|
|
};
|
|
|
|
#endif /* _SYSCALL32_IMPL */
|
|
|
|
|
|
|
|
#ifdef KERBEROS
|
|
|
|
/*
|
|
|
|
* flavor specific data to hold the data for AUTH_DES/AUTH_KERB(v4)
|
|
|
|
* in sec_data->data opaque field.
|
|
|
|
*/
|
|
|
|
typedef struct krb4_svc_data {
|
|
|
|
int window; /* window option value */
|
|
|
|
} krb4_svcdata_t;
|
|
|
|
|
|
|
|
typedef struct krb4_svc_data des_svcdata_t;
|
|
|
|
#endif /* KERBEROS */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* authentication/security specific flags
|
|
|
|
*/
|
|
|
|
#define AUTH_F_RPCTIMESYNC 0x001 /* use RPC to do time sync */
|
|
|
|
#define AUTH_F_TRYNONE 0x002 /* allow fall back to AUTH_NONE */
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Status returned from authentication check
|
|
|
|
*/
|
|
|
|
enum auth_stat {
|
|
|
|
AUTH_OK=0,
|
|
|
|
/*
|
|
|
|
* failed at remote end
|
|
|
|
*/
|
|
|
|
AUTH_BADCRED=1, /* bogus credentials (seal broken) */
|
|
|
|
AUTH_REJECTEDCRED=2, /* client should begin new session */
|
|
|
|
AUTH_BADVERF=3, /* bogus verifier (seal broken) */
|
|
|
|
AUTH_REJECTEDVERF=4, /* verifier expired or was replayed */
|
|
|
|
AUTH_TOOWEAK=5, /* rejected due to security reasons */
|
|
|
|
/*
|
|
|
|
* failed locally
|
|
|
|
*/
|
|
|
|
AUTH_INVALIDRESP=6, /* bogus response verifier */
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
AUTH_FAILED=7, /* some unknown reason */
|
2008-03-26 15:23:12 +00:00
|
|
|
#ifdef KERBEROS
|
|
|
|
/*
|
|
|
|
* kerberos errors
|
|
|
|
*/
|
|
|
|
AUTH_KERB_GENERIC = 8, /* kerberos generic error */
|
|
|
|
AUTH_TIMEEXPIRE = 9, /* time of credential expired */
|
|
|
|
AUTH_TKT_FILE = 10, /* something wrong with ticket file */
|
|
|
|
AUTH_DECODE = 11, /* can't decode authenticator */
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
AUTH_NET_ADDR = 12, /* wrong net address in ticket */
|
2008-03-26 15:23:12 +00:00
|
|
|
#endif /* KERBEROS */
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
/*
|
|
|
|
* RPCSEC_GSS errors
|
|
|
|
*/
|
|
|
|
RPCSEC_GSS_CREDPROBLEM = 13,
|
|
|
|
RPCSEC_GSS_CTXPROBLEM = 14,
|
Add TLS support to the kernel RPC.
An internet draft titled "Towards Remote Procedure Call Encryption By Default"
describes how TLS is to be used for Sun RPC, with NFS as an intended use case.
This patch adds client and server support for this to the kernel RPC,
using KERN_TLS and upcalls to daemons for the handshake, peer reset and
other non-application data record cases.
The upcalls to the daemons use three fields to uniquely identify the
TCP connection. They are the time.tv_sec, time.tv_usec of the connection
establshment, plus a 64bit sequence number. The time fields avoid problems
with re-use of the sequence number after a daemon restart.
For the server side, once a Null RPC with AUTH_TLS is received, kernel
reception on the socket is blocked and an upcall to the rpctlssd(8) daemon
is done to perform the TLS handshake. Upon completion, the completion
status of the handshake is stored in xp_tls as flag bits and the reply to
the Null RPC is sent.
For the client, if CLSET_TLS has been set, a new TCP connection will
send the Null RPC with AUTH_TLS to initiate the handshake. The client
kernel RPC code will then block kernel I/O on the socket and do an upcall
to the rpctlscd(8) daemon to perform the handshake.
If the upcall is successful, ct_rcvstate will be maintained to indicate
if/when an upcall is being done.
If non-application data records are received, the code does an upcall to
the appropriate daemon, which will do a SSL_read() of 0 length to handle
the record(s).
When the socket is being shut down, upcalls are done to the daemons, so
that they can perform SSL_shutdown() calls to perform the "peer reset".
The rpctlssd(8) and rpctlscd(8) daemons require a patched version of the
openssl library and, as such, will not be committed to head at this time.
Although the changes done by this patch are fairly numerous, there should
be no semantics change to the kernel RPC at this time.
A future commit to the NFS code will optionally enable use of TLS for NFS.
2020-08-22 03:57:55 +00:00
|
|
|
/* Also used by RPCSEC_TLS for the same purpose */
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
RPCSEC_GSS_NODISPATCH = 0x8000000
|
2008-03-26 15:23:12 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
union des_block {
|
|
|
|
struct {
|
|
|
|
uint32_t high;
|
|
|
|
uint32_t low;
|
|
|
|
} key;
|
|
|
|
char c[8];
|
|
|
|
};
|
|
|
|
typedef union des_block des_block;
|
|
|
|
__BEGIN_DECLS
|
|
|
|
extern bool_t xdr_des_block(XDR *, des_block *);
|
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Authentication info. Opaque to client.
|
|
|
|
*/
|
|
|
|
struct opaque_auth {
|
|
|
|
enum_t oa_flavor; /* flavor of auth */
|
|
|
|
caddr_t oa_base; /* address of more auth stuff */
|
|
|
|
u_int oa_length; /* not to exceed MAX_AUTH_BYTES */
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Auth handle, interface to client side authenticators.
|
|
|
|
*/
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
struct rpc_err;
|
2008-03-26 15:23:12 +00:00
|
|
|
typedef struct __auth {
|
|
|
|
struct opaque_auth ah_cred;
|
|
|
|
struct opaque_auth ah_verf;
|
|
|
|
union des_block ah_key;
|
2021-07-09 14:56:13 +00:00
|
|
|
const struct auth_ops {
|
2008-03-26 15:23:12 +00:00
|
|
|
void (*ah_nextverf) (struct __auth *);
|
|
|
|
/* nextverf & serialize */
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
int (*ah_marshal) (struct __auth *, uint32_t, XDR *,
|
|
|
|
struct mbuf *);
|
2008-03-26 15:23:12 +00:00
|
|
|
/* validate verifier */
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
int (*ah_validate) (struct __auth *, uint32_t,
|
|
|
|
struct opaque_auth *, struct mbuf **);
|
2008-03-26 15:23:12 +00:00
|
|
|
/* refresh credentials */
|
|
|
|
int (*ah_refresh) (struct __auth *, void *);
|
|
|
|
/* destroy this structure */
|
|
|
|
void (*ah_destroy) (struct __auth *);
|
|
|
|
} *ah_ops;
|
|
|
|
void *ah_private;
|
|
|
|
} AUTH;
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Authentication ops.
|
|
|
|
* The ops and the auth handle provide the interface to the authenticators.
|
|
|
|
*
|
|
|
|
* AUTH *auth;
|
|
|
|
* XDR *xdrs;
|
|
|
|
* struct opaque_auth verf;
|
|
|
|
*/
|
|
|
|
#define AUTH_NEXTVERF(auth) \
|
|
|
|
((*((auth)->ah_ops->ah_nextverf))(auth))
|
|
|
|
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
#define AUTH_MARSHALL(auth, xid, xdrs, args) \
|
|
|
|
((*((auth)->ah_ops->ah_marshal))(auth, xid, xdrs, args))
|
2008-03-26 15:23:12 +00:00
|
|
|
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
#define AUTH_VALIDATE(auth, xid, verfp, resultsp) \
|
|
|
|
((*((auth)->ah_ops->ah_validate))((auth), xid, verfp, resultsp))
|
2008-03-26 15:23:12 +00:00
|
|
|
|
|
|
|
#define AUTH_REFRESH(auth, msg) \
|
|
|
|
((*((auth)->ah_ops->ah_refresh))(auth, msg))
|
|
|
|
|
|
|
|
#define AUTH_DESTROY(auth) \
|
|
|
|
((*((auth)->ah_ops->ah_destroy))(auth))
|
|
|
|
|
|
|
|
__BEGIN_DECLS
|
|
|
|
extern struct opaque_auth _null_auth;
|
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
/*
|
|
|
|
* These are the various implementations of client side authenticators.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* System style authentication
|
|
|
|
* AUTH *authunix_create(machname, uid, gid, len, aup_gids)
|
|
|
|
* char *machname;
|
2012-10-04 04:15:18 +00:00
|
|
|
* u_int uid;
|
|
|
|
* u_int gid;
|
2008-03-26 15:23:12 +00:00
|
|
|
* int len;
|
2012-10-04 04:15:18 +00:00
|
|
|
* u_int *aup_gids;
|
2008-03-26 15:23:12 +00:00
|
|
|
*/
|
|
|
|
__BEGIN_DECLS
|
|
|
|
#ifdef _KERNEL
|
|
|
|
struct ucred;
|
|
|
|
extern AUTH *authunix_create(struct ucred *);
|
|
|
|
#else
|
2012-10-04 04:15:18 +00:00
|
|
|
extern AUTH *authunix_create(char *, u_int, u_int, int, u_int *);
|
2008-03-26 15:23:12 +00:00
|
|
|
extern AUTH *authunix_create_default(void); /* takes no parameters */
|
|
|
|
#endif
|
|
|
|
extern AUTH *authnone_create(void); /* takes no parameters */
|
Add TLS support to the kernel RPC.
An internet draft titled "Towards Remote Procedure Call Encryption By Default"
describes how TLS is to be used for Sun RPC, with NFS as an intended use case.
This patch adds client and server support for this to the kernel RPC,
using KERN_TLS and upcalls to daemons for the handshake, peer reset and
other non-application data record cases.
The upcalls to the daemons use three fields to uniquely identify the
TCP connection. They are the time.tv_sec, time.tv_usec of the connection
establshment, plus a 64bit sequence number. The time fields avoid problems
with re-use of the sequence number after a daemon restart.
For the server side, once a Null RPC with AUTH_TLS is received, kernel
reception on the socket is blocked and an upcall to the rpctlssd(8) daemon
is done to perform the TLS handshake. Upon completion, the completion
status of the handshake is stored in xp_tls as flag bits and the reply to
the Null RPC is sent.
For the client, if CLSET_TLS has been set, a new TCP connection will
send the Null RPC with AUTH_TLS to initiate the handshake. The client
kernel RPC code will then block kernel I/O on the socket and do an upcall
to the rpctlscd(8) daemon to perform the handshake.
If the upcall is successful, ct_rcvstate will be maintained to indicate
if/when an upcall is being done.
If non-application data records are received, the code does an upcall to
the appropriate daemon, which will do a SSL_read() of 0 length to handle
the record(s).
When the socket is being shut down, upcalls are done to the daemons, so
that they can perform SSL_shutdown() calls to perform the "peer reset".
The rpctlssd(8) and rpctlscd(8) daemons require a patched version of the
openssl library and, as such, will not be committed to head at this time.
Although the changes done by this patch are fairly numerous, there should
be no semantics change to the kernel RPC at this time.
A future commit to the NFS code will optionally enable use of TLS for NFS.
2020-08-22 03:57:55 +00:00
|
|
|
extern AUTH *authtls_create(void); /* takes no parameters */
|
2008-03-26 15:23:12 +00:00
|
|
|
__END_DECLS
|
|
|
|
/*
|
|
|
|
* DES style authentication
|
|
|
|
* AUTH *authsecdes_create(servername, window, timehost, ckey)
|
|
|
|
* char *servername; - network name of server
|
|
|
|
* u_int window; - time to live
|
|
|
|
* const char *timehost; - optional hostname to sync with
|
|
|
|
* des_block *ckey; - optional conversation key to use
|
|
|
|
*/
|
|
|
|
__BEGIN_DECLS
|
|
|
|
extern AUTH *authdes_create (char *, u_int, struct sockaddr *, des_block *);
|
|
|
|
extern AUTH *authdes_seccreate (const char *, const u_int, const char *,
|
|
|
|
const des_block *);
|
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
__BEGIN_DECLS
|
|
|
|
extern bool_t xdr_opaque_auth (XDR *, struct opaque_auth *);
|
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
#define authsys_create(c,i1,i2,i3,ip) authunix_create((c),(i1),(i2),(i3),(ip))
|
|
|
|
#define authsys_create_default() authunix_create_default()
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Netname manipulation routines.
|
|
|
|
*/
|
|
|
|
__BEGIN_DECLS
|
|
|
|
extern int getnetname(char *);
|
|
|
|
extern int host2netname(char *, const char *, const char *);
|
|
|
|
extern int user2netname(char *, const uid_t, const char *);
|
|
|
|
extern int netname2user(char *, uid_t *, gid_t *, int *, gid_t *);
|
|
|
|
extern int netname2host(char *, char *, const int);
|
|
|
|
extern void passwd2des ( char *, char * );
|
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
/*
|
|
|
|
*
|
|
|
|
* These routines interface to the keyserv daemon
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
__BEGIN_DECLS
|
|
|
|
extern int key_decryptsession(const char *, des_block *);
|
|
|
|
extern int key_encryptsession(const char *, des_block *);
|
|
|
|
extern int key_gendes(des_block *);
|
|
|
|
extern int key_setsecret(const char *);
|
|
|
|
extern int key_secretkey_is_set(void);
|
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Publickey routines.
|
|
|
|
*/
|
|
|
|
__BEGIN_DECLS
|
|
|
|
extern int getpublickey (const char *, char *);
|
|
|
|
extern int getpublicandprivatekey (const char *, char *);
|
|
|
|
extern int getsecretkey (char *, char *, char *);
|
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
#ifdef KERBEROS
|
|
|
|
/*
|
|
|
|
* Kerberos style authentication
|
|
|
|
* AUTH *authkerb_seccreate(service, srv_inst, realm, window, timehost, status)
|
|
|
|
* const char *service; - service name
|
|
|
|
* const char *srv_inst; - server instance
|
|
|
|
* const char *realm; - server realm
|
|
|
|
* const u_int window; - time to live
|
|
|
|
* const char *timehost; - optional hostname to sync with
|
|
|
|
* int *status; - kerberos status returned
|
|
|
|
*/
|
|
|
|
__BEGIN_DECLS
|
|
|
|
extern AUTH *authkerb_seccreate(const char *, const char *, const char *,
|
|
|
|
const u_int, const char *, int *);
|
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Map a kerberos credential into a unix cred.
|
|
|
|
*
|
|
|
|
* authkerb_getucred(rqst, uid, gid, grouplen, groups)
|
|
|
|
* const struct svc_req *rqst; - request pointer
|
|
|
|
* uid_t *uid;
|
|
|
|
* gid_t *gid;
|
|
|
|
* short *grouplen;
|
|
|
|
* int *groups;
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
__BEGIN_DECLS
|
|
|
|
extern int authkerb_getucred(/* struct svc_req *, uid_t *, gid_t *,
|
|
|
|
short *, int * */);
|
|
|
|
__END_DECLS
|
|
|
|
#endif /* KERBEROS */
|
|
|
|
|
|
|
|
__BEGIN_DECLS
|
|
|
|
struct svc_req;
|
|
|
|
struct rpc_msg;
|
|
|
|
enum auth_stat _svcauth_null (struct svc_req *, struct rpc_msg *);
|
|
|
|
enum auth_stat _svcauth_short (struct svc_req *, struct rpc_msg *);
|
|
|
|
enum auth_stat _svcauth_unix (struct svc_req *, struct rpc_msg *);
|
Add TLS support to the kernel RPC.
An internet draft titled "Towards Remote Procedure Call Encryption By Default"
describes how TLS is to be used for Sun RPC, with NFS as an intended use case.
This patch adds client and server support for this to the kernel RPC,
using KERN_TLS and upcalls to daemons for the handshake, peer reset and
other non-application data record cases.
The upcalls to the daemons use three fields to uniquely identify the
TCP connection. They are the time.tv_sec, time.tv_usec of the connection
establshment, plus a 64bit sequence number. The time fields avoid problems
with re-use of the sequence number after a daemon restart.
For the server side, once a Null RPC with AUTH_TLS is received, kernel
reception on the socket is blocked and an upcall to the rpctlssd(8) daemon
is done to perform the TLS handshake. Upon completion, the completion
status of the handshake is stored in xp_tls as flag bits and the reply to
the Null RPC is sent.
For the client, if CLSET_TLS has been set, a new TCP connection will
send the Null RPC with AUTH_TLS to initiate the handshake. The client
kernel RPC code will then block kernel I/O on the socket and do an upcall
to the rpctlscd(8) daemon to perform the handshake.
If the upcall is successful, ct_rcvstate will be maintained to indicate
if/when an upcall is being done.
If non-application data records are received, the code does an upcall to
the appropriate daemon, which will do a SSL_read() of 0 length to handle
the record(s).
When the socket is being shut down, upcalls are done to the daemons, so
that they can perform SSL_shutdown() calls to perform the "peer reset".
The rpctlssd(8) and rpctlscd(8) daemons require a patched version of the
openssl library and, as such, will not be committed to head at this time.
Although the changes done by this patch are fairly numerous, there should
be no semantics change to the kernel RPC at this time.
A future commit to the NFS code will optionally enable use of TLS for NFS.
2020-08-22 03:57:55 +00:00
|
|
|
enum auth_stat _svcauth_rpcsec_tls (struct svc_req *, struct rpc_msg *);
|
2008-03-26 15:23:12 +00:00
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
#define AUTH_NONE 0 /* no authentication */
|
|
|
|
#define AUTH_NULL 0 /* backward compatibility */
|
|
|
|
#define AUTH_SYS 1 /* unix style (uid, gids) */
|
|
|
|
#define AUTH_UNIX AUTH_SYS
|
|
|
|
#define AUTH_SHORT 2 /* short hand unix style */
|
|
|
|
#define AUTH_DH 3 /* for Diffie-Hellman mechanism */
|
|
|
|
#define AUTH_DES AUTH_DH /* for backward compatibility */
|
|
|
|
#define AUTH_KERB 4 /* kerberos style */
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
#define RPCSEC_GSS 6 /* RPCSEC_GSS */
|
Add TLS support to the kernel RPC.
An internet draft titled "Towards Remote Procedure Call Encryption By Default"
describes how TLS is to be used for Sun RPC, with NFS as an intended use case.
This patch adds client and server support for this to the kernel RPC,
using KERN_TLS and upcalls to daemons for the handshake, peer reset and
other non-application data record cases.
The upcalls to the daemons use three fields to uniquely identify the
TCP connection. They are the time.tv_sec, time.tv_usec of the connection
establshment, plus a 64bit sequence number. The time fields avoid problems
with re-use of the sequence number after a daemon restart.
For the server side, once a Null RPC with AUTH_TLS is received, kernel
reception on the socket is blocked and an upcall to the rpctlssd(8) daemon
is done to perform the TLS handshake. Upon completion, the completion
status of the handshake is stored in xp_tls as flag bits and the reply to
the Null RPC is sent.
For the client, if CLSET_TLS has been set, a new TCP connection will
send the Null RPC with AUTH_TLS to initiate the handshake. The client
kernel RPC code will then block kernel I/O on the socket and do an upcall
to the rpctlscd(8) daemon to perform the handshake.
If the upcall is successful, ct_rcvstate will be maintained to indicate
if/when an upcall is being done.
If non-application data records are received, the code does an upcall to
the appropriate daemon, which will do a SSL_read() of 0 length to handle
the record(s).
When the socket is being shut down, upcalls are done to the daemons, so
that they can perform SSL_shutdown() calls to perform the "peer reset".
The rpctlssd(8) and rpctlscd(8) daemons require a patched version of the
openssl library and, as such, will not be committed to head at this time.
Although the changes done by this patch are fairly numerous, there should
be no semantics change to the kernel RPC at this time.
A future commit to the NFS code will optionally enable use of TLS for NFS.
2020-08-22 03:57:55 +00:00
|
|
|
#define AUTH_TLS 7 /* Initiate RPC-over-TLS */
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Pseudo auth flavors for RPCSEC_GSS.
|
|
|
|
*/
|
|
|
|
#define RPCSEC_GSS_KRB5 390003
|
|
|
|
#define RPCSEC_GSS_KRB5I 390004
|
|
|
|
#define RPCSEC_GSS_KRB5P 390005
|
2008-03-26 15:23:12 +00:00
|
|
|
|
|
|
|
#endif /* !_RPC_AUTH_H */
|