Re: [nfsv4] more on gss authentication for callback
Nicolas Williams <Nicolas.Williams@sun.com> Thu, 30 October 2003 23:06 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA18807 for <nfsv4-archive@odin.ietf.org>; Thu, 30 Oct 2003 18:06:21 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AFLre-0006vP-Ma for nfsv4-archive@odin.ietf.org; Thu, 30 Oct 2003 18:06:02 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h9UN62bJ026613 for nfsv4-archive@odin.ietf.org; Thu, 30 Oct 2003 18:06:02 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AFLre-0006vA-I8 for nfsv4-web-archive@optimus.ietf.org; Thu, 30 Oct 2003 18:06:02 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA18729 for <nfsv4-web-archive@ietf.org>; Thu, 30 Oct 2003 18:05:50 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AFLrb-0004ML-00 for nfsv4-web-archive@ietf.org; Thu, 30 Oct 2003 18:05:59 -0500
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1AFLrb-0004MI-00 for nfsv4-web-archive@ietf.org; Thu, 30 Oct 2003 18:05:59 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AFLrd-0006u4-Ds; Thu, 30 Oct 2003 18:06:01 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AFLrb-0006tc-5J for nfsv4@optimus.ietf.org; Thu, 30 Oct 2003 18:05:59 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA18718 for <nfsv4@ietf.org>; Thu, 30 Oct 2003 18:05:46 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AFLrY-0004M9-00 for nfsv4@ietf.org; Thu, 30 Oct 2003 18:05:56 -0500
Received: from brmea-mail-3.sun.com ([192.18.98.34]) by ietf-mx with esmtp (Exim 4.12) id 1AFLrX-0004M5-00 for nfsv4@ietf.org; Thu, 30 Oct 2003 18:05:55 -0500
Received: from centralmail2brm.Central.Sun.COM ([129.147.62.14]) by brmea-mail-3.sun.com (8.12.10/8.12.9) with ESMTP id h9UN5s5u007186; Thu, 30 Oct 2003 16:05:54 -0700 (MST)
Received: from binky.central.sun.com (binky.Central.Sun.COM [129.153.128.104]) by centralmail2brm.Central.Sun.COM (8.12.10+Sun/8.12.10/ENSMAIL,v2.2) with ESMTP id h9UN5p58021729; Thu, 30 Oct 2003 16:05:51 -0700 (MST)
Received: from binky.central.sun.com (localhost [127.0.0.1]) by binky.central.sun.com (8.12.5+Sun/8.12.3) with ESMTP id h9UN1iQx026909; Thu, 30 Oct 2003 15:01:44 -0800 (PST)
Received: (from nw141292@localhost) by binky.central.sun.com (8.12.5+Sun/8.12.3/Submit) id h9UN1hk8026908; Thu, 30 Oct 2003 15:01:43 -0800 (PST)
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Mike Eisler <mike@eisler.com>
Cc: nfsv4@ietf.org
Subject: Re: [nfsv4] more on gss authentication for callback
Message-ID: <20031030230143.GA26891@binky.central.sun.com>
Mail-Followup-To: Mike Eisler <mike@eisler.com>, nfsv4@ietf.org
References: <3FA193EB.4020307@eisler.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <3FA193EB.4020307@eisler.com>
User-Agent: Mutt/1.4i
Sender: nfsv4-admin@ietf.org
Errors-To: nfsv4-admin@ietf.org
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/nfsv4/>
X-Original-Date: Thu, 30 Oct 2003 15:01:43 -0800
Date: Thu, 30 Oct 2003 15:01:43 -0800
On Thu, Oct 30, 2003 at 02:42:51PM -0800, Mike Eisler wrote: > > Will it work? For the Kerberos V GSS-API mechanis, yes. For > > LIPKEY, no. > > Why not? Say the client and server each have access to a passwd database > kept in NIS or LDAP. Each NFS client and server has an entry in the > database. > When the server makes a callback to the client, it supplies the server's > "user" name and password over the SPKM-3 protected session. This requires > each client to have an SPKM-3 private key and certificate. Which is why, > the NFSv4 > RFC3530 notes that since callbacks over LIPKEY require certificates on the > client > and server, it is permissble for the server to issue the callback with pure > SPKM-3, > and that the client SHOULD issue the SETCLIENTID with pure SPKM-3 (if wants > callbacks). I did say LIPKEY, not SPKM-3. As for SPKM-3, can this work without a client cert? Would it be secure without a client cert? I think not. > So it works, but it is not sensible to do uses LIPKEY for callbacks. No, it's not sensible. That's why we must purse the CCM-MIC approach. And that means we need a CB op for servers to ask clients to establish a GSS-API context in the v4 channel for use with CCM-MIC in the CB channel. Cheers, Nico -- _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www1.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] more on gss authentication for callback rick
- Re: [nfsv4] more on gss authentication for callba… Nicolas Williams
- RE: [nfsv4] more on gss authentication for callba… Mike Eisler
- Re: [nfsv4] more on gss authentication for callba… Nicolas Williams
- Re: [nfsv4] more on gss authentication for callba… Trond Myklebust