| |||||||||
|
RPCSEC_GSS for linux 2.5 kernels
As of version 2.5.58, Linus's kernel includes support for basic client-side rpcsec_gss authentication (without data integrity or privacy). The kernel patches below add server-side support and add support for data integrity on the client. Features we are actively working on include full integrity and privacy support on client and server and support for the other two rpcsec_gss mechanisms (spkm3 and lipkey) required by the nfsv4 spec.
This is work in progress, and may be only very lightly tested before release; the intended audience is developers and users interested in testing rpcsec_gss.
The rpcsec_gss support should work with any version of NFS, though it doesn't protect the auxiliary protocols used with NFSv3. Also, see our NFSv4/Linux download page for NFSv4 information.
You need a set of the latest kernel patches from this directory, a matching kernel tree, a mount patch (against the util-linux sources), the latest gssd sources, and the latest nfs-utils patch against the corresponding version of nfs-utils.
Apply the appropriate patches and configure and build the kernel, making sure to select, at a minimum:
- Code maturity options->Prompt for development and/or incomplete code/drivers
- File systems->Network File Systems->NFS file system support
- File systems->Network File Systems->NFS server support
- File systems->Network File Systems->Provide RPCSEC_GSS authentication (EXPERIMENTAL)
- File systems->Network File Systems->Kerberos mechanism for RPCSEC_GSS (EXPERIMENTAL)
- Cryptographic options->Cryptographic API
- Cryptographic options->MD5 digest algorithm
- Cryptographic options->DES and Triple DES EDE cipher algorithms
Unpack the MIT kerberos 5.1.2.7 distribution, apply the patch krb5-1.2.7-mechglue-1.diff, and build kerberos:
# cd /usr/local/src
# tar -xzvf krb5-1.2.7.tar.gz
# cd krb5-1.2.7
# patch -p1 <mechglue_krb5.1.2.7-mechglue-1.diff
# cd src
# ./configure && make
Then build the user-space daemons (rpc.gssd and rpc.svcgssd):
# tar -xzvf gssd.tar.gz
# cd gssd
# ./configure --with-krb5=/usr/local/src/krb5-1.2.7/src && make
Install them somewhere (e.g., /usr/local/sbin/).
Create machine credentials for both the client and the server. For this release, this means creating a Kerberos V5 principal/instance name of the form nfs/hostname@domain, and either adding a key for this pricipal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab using a random password.
Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add ONLY this type of key.
kadmin: addprinc -randkey nfs/hostname.domain
kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/hostname.domain
Build the patched mount program and nfs-utils.
Boot to the new kernel, and then you should be able to do something like this on the client:
# mkdir /var/lib/rpc_pipes
# mount -trpc_pipefs none /var/lib/rpc_pipes
# rpc.gssd -m &
# mount -osec=krb5 myserver.somewhere.net:/ /mnt
and on the server, export as usual, except that any exports which you wish to be accesible to clients using krb5 should be exported to a special client named "gss/krb5". For example, a line in your export file reading:
/exports gss/krb5(rw,sync)
will make /exports available to those clients (and only those clients) which
use krb5.
In addition, you need to mount the rpc_pipefs filesystem (as for the client) and run rpc.svcgssd:
# mkdir /var/lib/rpc_pipes
# mount -trpc_pipefs none /var/lib/rpc_pipes
# rpc.svcgssd &
Known issues, being worked on:
- The server should purge contexts that haven't been used recently from its cache. Currently it doesn't do this, so the context cache can grow without bound.
- The client doesn't send a destroy_context token when it is done with a context, so it is up to the server to expire unused contexts from its cache.
- We haven't studied the impact of rpcsec_gss on performance, which is probably significant at least for reads and writes under integrity or privacy.
 |
|
 |
