rpcsec_gss support for kernel RPC servers¶
This document gives references to the standards and protocols used toimplement RPCGSS authentication in kernel RPC servers such as the NFSserver and the NFS client’s NFSv4.0 callback server. (But note thatNFSv4.1 and higher don’t require the client to act as a server for thepurposes of authentication.)
RPCGSS is specified in a few IETF documents:
RFC2203 v1:https://tools.ietf.org/rfc/rfc2203.txt
RFC5403 v2:https://tools.ietf.org/rfc/rfc5403.txt
There is a third version that we don’t currently implement:
RFC7861 v3:https://tools.ietf.org/rfc/rfc7861.txt
Background¶
The RPCGSS Authentication method describes a way to perform GSSAPIAuthentication for NFS. Although GSSAPI is itself completely mechanismagnostic, in many cases only the KRB5 mechanism is supported by NFSimplementations.
The Linux kernel, at the moment, supports only the KRB5 mechanism, anddepends on GSSAPI extensions that are KRB5 specific.
GSSAPI is a complex library, and implementing it completely in kernel isunwarranted. However GSSAPI operations are fundamentally separable in 2parts:
initial context establishment
integrity/privacy protection (signing and encrypting of individualpackets)
The former is more complex and policy-independent, but lessperformance-sensitive. The latter is simpler and needs to be very fast.
Therefore, we perform per-packet integrity and privacy protection in thekernel, but leave the initial context establishment to userspace. Weneed upcalls to request userspace to perform context establishment.
NFS Server Legacy Upcall Mechanism¶
The classic upcall mechanism uses a custom text based upcall mechanismto talk to a custom daemon called rpc.svcgssd that is provide by thenfs-utils package.
This upcall mechanism has 2 limitations:
It can handle tokens that are no bigger than 2KiB
In some Kerberos deployment GSSAPI tokens can be quite big, up andbeyond 64KiB in size due to various authorization extensions attacked tothe Kerberos tickets, that needs to be sent through the GSS layer inorder to perform context establishment.
B) It does not properly handle creds where the user is member of morethan a few thousand groups (the current hard limit in the kernel is 65Kgroups) due to limitation on the size of the buffer that can be sendback to the kernel (4KiB).
NFS Server New RPC Upcall Mechanism¶
The newer upcall mechanism uses RPC over a unix socket to a daemoncalled gss-proxy, implemented by a userspace program called Gssproxy.
The gss_proxy RPC protocol is currently documentedhere.
This upcall mechanism uses the kernel rpc client and connects to the gssproxyuserspace program over a regular unix socket. The gssproxy protocol does notsuffer from the size limitations of the legacy protocol.
Negotiating Upcall Mechanisms¶
To provide backward compatibility, the kernel defaults to using thelegacy mechanism. To switch to the new mechanism, gss-proxy must bindto /var/run/gssproxy.sock and then write “1” to/proc/net/rpc/use-gss-proxy. If gss-proxy dies, it must repeat bothsteps.
Once the upcall mechanism is chosen, it cannot be changed. To preventlocking into the legacy mechanisms, the above steps must be performedbefore starting nfsd. Whoever starts nfsd can guarantee this by readingfrom /proc/net/rpc/use-gss-proxy and checking that it contains a“1”--the read will block until gss-proxy has done its write to the file.