The alpha code presented on this web page adds the following features to the NFSv4 linux implementation:
- Client use of the kernel credential keyring
- Client bug fix for referrals
- Server exporting different security flavors per netgroup
These features will eventually be added to the main stream kernel.
Update log
- Wed Aug 23 11:23:26 EDT 2006 Original code drop.
- Wed Aug 23 16:36:26 EDT 2006 Update htools for filesnarf lookup/open
- Tue Aug 29 16:12:43 EDT 2006 Update htools for mount nfs4 kernel patch
- Wed Aug 30 15:02:42 EDT 2006 linux-2.6.18-rc5 kernel patches
- Thu Aug 31 16:58:59 EDT 2006 Update htools for filesnarf tcp checksum and no-promiscuous
- Tue Sep 5 16:03:02 EDT 2006 new linux-2.6.18-rc5 kernel patch - 2.6.18-rc5-referral-path-walk.patch
- Mon Sep 18 15:24:34 EDT 2006 new linux-2.6.18-rc5 kernel patch - 2.6.18-rc5-nfsd-cross-mnt-error-fix.patch
- Wed Sep 20 19:53:05 EDT 2006 new Kerberos keyring ccache patch
- Sat Sep 23 19:02:56 EDT 2006 new nfs-utils patches
- Fri Sep 29 17:11:27 EDT 2006 updated acl testing tool and new acl parser
- Mon Oct 2 19:02:28 EDT 2006 Updated ACL commandline and GUI tools, added screenshot
- Tue Oct 3 15:29:07 EDT 2006 Bugfixes in ACL tools
- Thu Oct 19 12:00:53 EDT 2006 Common client credential cache, common upcall pipe, client and server SECINFO kernel patches
- Thu Oct 19 12:00:53 EDT 2006 Keyring and common upcall nfs-utils patches
- Fri Oct 20 16:15:16 EDT 2006 Kernel 2.6.18-rc5-rpc-common-auth-unix.patch and 2.6.18-rc5-rpc-common-credcache-fix.patch
- Tue Oct 24 19:24:14 EDT 2006 Updated ACL tools: working build scripts, "nfs4_editfacl", bit more documentation
- Wed Oct 25 16:20:28 EDT 2006 Updated ACL tools: include workaround for Qt. 4.2.1 API bug in GUI tool
- Thu Oct 26 18:56:09 EDT 2006 Updated ACL tools: fixed contextual menu integration for KDE and GNOME
- Wed Nov 15 15:47:43 EST 2006 Updated ACL tools: big changes to nfs4_setfacl, better file dialog in nfs4-acl-editor
- Wed Feb 28 00:53:45 EST 2007 Updated ACL tools: version 0.3.0 (includes manpages, bugfixes; see CHANGELOG)
- Thu Mar 8 13:55:59 EST 2007 Updated ACL tools: version 0.3.1 (documentation and build fixes; no new features)
- Mon Oct 22 18:21:29 EDT 2007 Updated ACL tools: version 0.3.2 (set ACL recursively on dir tree; permissions "aliases")
linux-2.6.18-rc5 Kernel patches
cp>
NOTE: To compile, please select these kernel configuration features:
- "Security options->Enable access key retention support"
- "File systems->Network File Systems->Secure RPC Keyring Support (EXPERIMENTAL)"
Apply these patches in order
nfs-utils patches
The latest all-in-one patch to nfs-utils-1.0.10 is
nfs-utils-1.0.10-asci-CITI_NFS4_ALL-2
Also available as separate patches with comments for developers.
Additional required patches applied after nfs-utils-1.0.10-asci-CITI_NFS4_ALL-2
Usage notes
- You must use "--enable-mount" when configuring nfs-utils because the
mount program within nfs-utils is not yet built by default.
- The Kerberos patch is not necessary for basic user access to work.
However, access on a thread- or process-level requires the thread- or
process- level Kerberos credentials cache. The mount program uses
process-level credentials.
- utils/mount/mount.nfs has been modified to obtain Kerberos credentials
for a krb5[ip] mount. This mount pgm must be used, otherwise gssd will not
find credentials to negotiate a context for the mount.
% ../utils/mount/mount.nfs server.domain.org:/path /mntpath -t nfs4 -o sec=krb5
- Users must currently run utils/gssd/nfslogin in order to
tell gssd where their credentials are in order to successfully access
filesystems mounted with Kerberos. It is assumed that the pam module
will be modified to make the necessary call to do this automatically
upon login.
% kinit
% ../utils/gssd/nfslogin
- The /etc/exports file can take some new options: sec= and refer=.
To give everyone read access, and kerberos users read/write access:
/export *(fsid=0,no_subtree_check,nohide,insecure,sync,sec=sys,ro,sec=krb5:krb5i:krb5p,rw)
(Note the sec= option currently affects only the ro and rw options.)
To enable a referral:
/export/fsloc *.citi.umich.edu(ro,no_subtree_check,nohide,insecure,refer=/build@141.211.133.86,sync)
- Our SECINFO implementation requires that each export under the server pseudo-filesystem that has different security have a unique fsid. So, if a server exports multiple directories from the same partition, the export option fisd=X must be used.
- Our SECINFO implementation also requires that the server pseudofilesystem root exports the union of the security flavors of its leafs.
The full release of nfs-utils-1.0.10:
nfs-utils-1.0.10.tar.gz
(Also available from sourceforge)
Kerberos patches
A patch to add a new keyring credential cache type to MIT Kerberos can be
found here:
If your distribution does not have a keyutils package, you can find it
here. Note that
the keyutils package needs to be installed prior to building Kerberos with the keyring credentials cache feature.
Be sure to check your client's /etc/gssapi_mech.conf libgssapi_krb5.so path to ensure it points to the new library.
Usage notes
After applying the patch, run ./src/util/reconf to regenerate
configure files before building the code.
With the 20060920 and later patches, you must specify
--enable-keyring-ccache to enable the keyring ccache code (and make
it the default ccache type).
(Note that pam and/or sshd often set the KRB5CCNAME environment variable
which will override the default.)
In addition to "KEYRING:", you can also specify
"KEYRING:process:" or "KEYRING:thread:".
However, these are only useful in long-running processes or threads.
Specifying this via KRB5CCNAME and then running kinit will
cause the credentials to be created and they will immediately go
away when kinit completes.
The Kerberos source code can be obtained from the
MIT Distribution Page
Vulnerability Testing Tools
htools-20060831.tar.gz
htools-20060829.tar.gz (old)
htools-20060823.tar.gz (old)
htools.tar.gz (old)
These are the "hacker" tools, commonly used to demonstrate vulnerabilities
in NFSv3. We are extending them to do the same in NFSv4. The tools work
with auth_sys mounts but are completely defeated by auth_krb.
See the Readme files for build and usage instructions.
newpynfs20060822.tar.gz
A client that can be used to send RPCs interactively, and
some tests that enable uid/gid spoofing and fh probing.
mount
This is the standard linux mount command, extended to allow mounting by file
handle. This is used to bypass the export security built in to the mount
protocol (v3) or pseudo-fs traversal (v4).
filesnarf
This is a file sniffing tool from the dsniff test suite. It passively
sniffs rpc traffic and reconstructs file contents. We have extended it to v4 and to
display the contents in real time.
acl-test-20060929.tar.gz
acl-test-20060922.tar.gz (old)
Test tools and scripts to demonstrate that acl and security identity works
and is correctly configured.
nfs4-acl-tools-0.3.2.tar.gz (updated 2007-10-22)
Command-line tools nfs4_getfacl and nfs4_setfacl,
as well as a GUI (Qt-based) ACL editor (see a screenshot). We're working on bugfixes and features;
please direct any email to nfsv4@linux-nfs.org. Thanks.
Configuration Testing Tools
parser.py
A simple /etc/exports parser for configuration testing.
checkfacl.c
A simple acl parsing and testing tool.