Re: [nfsv4] RFC: Combining RPC-with-TLS and sec=krb5
Rick Macklem <rick.macklem@gmail.com> Tue, 03 January 2023 01:04 UTC
Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A846DC152579 for <nfsv4@ietfa.amsl.com>; Mon, 2 Jan 2023 17:04:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WlxhOUQfFmMX for <nfsv4@ietfa.amsl.com>; Mon, 2 Jan 2023 17:04:33 -0800 (PST)
Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCB0CC152588 for <nfsv4@ietf.org>; Mon, 2 Jan 2023 17:04:33 -0800 (PST)
Received: by mail-pj1-x1029.google.com with SMTP id o1-20020a17090a678100b00219cf69e5f0so34379296pjj.2 for <nfsv4@ietf.org>; Mon, 02 Jan 2023 17:04:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=SsjXcyY3BalmfCFO6Mf+r73ve7cQlpQozn5FZsUVICo=; b=HnXVms8M7tpejROmNpPJpq0nAM6o8of56EQmEzoJs+I32NzaZnZfdp5ECGtEjtuFUo MrwjT8NE11i/2wBJ6+qG89s4q6OZ0YkTyd625u137WZnjgLK1ICPo4JGrjZ+Xk0XMpO9 /kvxOf9Q29XosRqf9uajlXBxNFLigx69sxY9AEVLSdGNSSDin/esa5qKaEZBZxWmgR4D zMzK6Usfdsywc5qoAGcTMNojpUWUEYwpRruWHdKbYe5q0AFyi5SO0L6qYUqi5/ZBiidt 1WafTYjNETv+sVFF0hcn2q/0yRN8GPrs62mWpemEDCpkvVkd0igouF1bJliY0DTUb/ya wflw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=SsjXcyY3BalmfCFO6Mf+r73ve7cQlpQozn5FZsUVICo=; b=cbEKGRTf0WCS3QjRR+YIdCBsZg9w1HSR/WENB1R8f9Lvp+jFJlZ0F+sz8hAiB0RCfS 08665vzC5ne4l+NQ8AqSMlvgcubyQyhyiisrqn8ZYbqcG8tkdCi35XvNuakWZoLaf311 gNCG9/lIi+8+N5rytfzsYOLRLzA7iU1aBj2CSDBpNXMXM1jJedYLNjAamc4db60hH8NX dMZiP6RqJmh/Kq3p7o9bj8T3KSMDrxWdhEq4/xxv1/EavooDRQaxp+XnI+dNna0AmheS +gz0qLhab/bLQkHXu0k16NjcEoY7sIh0RtTSEUAdFKqC0SnIhD2t9UhnUu4PvNoEhP7D Rcog==
X-Gm-Message-State: AFqh2ko48nf+cNqLJVAMC5hv5n2bMAP5mPbrkxTsaHrm8OSPmvHxBuLG vlFG3HuGRenNf7xIK1X6LfM5ATK/4J/7ox1ujA==
X-Google-Smtp-Source: AMrXdXvQlFYA0CSxrcenfe8+GoN1cbEArhEAAajAdTH2DXKpjnaeWUV4E0pRiXXegjJsyKURQsVohBpad2yEm3I4eLw=
X-Received: by 2002:a17:902:ef8d:b0:192:7363:b004 with SMTP id iz13-20020a170902ef8d00b001927363b004mr1659332plb.112.1672707872858; Mon, 02 Jan 2023 17:04:32 -0800 (PST)
MIME-Version: 1.0
References: <CAM5tNy7A41ss3m_Q4+XSnUF3frbe9YO-4EzMUA1_k_wyz+e12Q@mail.gmail.com> <CADaq8jcDcbDsvS3WnJo1jXO4bBFwT+smT4Yr5GREcu4-TCinvg@mail.gmail.com> <CAM5tNy4UXBWyAm2PMfU4AZz6-OryKuKSpyNcS=cEJueGjpWqdQ@mail.gmail.com>
In-Reply-To: <CAM5tNy4UXBWyAm2PMfU4AZz6-OryKuKSpyNcS=cEJueGjpWqdQ@mail.gmail.com>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Mon, 02 Jan 2023 17:04:19 -0800
Message-ID: <CAM5tNy7-b90wNo6fOxk3rNNM7U0_4jxxoDjoB94tuDvROrWg2A@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
Cc: NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009328de05f151a652"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/KtdkbMVe23_ae0ztoR_Q6gg8Vmc>
Subject: Re: [nfsv4] RFC: Combining RPC-with-TLS and sec=krb5
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2023 01:04:37 -0000
On Sun, Jan 1, 2023 at 4:47 PM Rick Macklem <rick.macklem@gmail.com> wrote: > > > On Sun, Jan 1, 2023 at 5:08 AM David Noveck <davenoveck@gmail.com> wrote: > >> >> >> On Sun, Jan 1, 2023, 6:51 AM Rick Macklem <rick.macklem@gmail.com> wrote: >> >>> First, some background... >>> >>> The NFSv4 RFCs require that the same principal be used for all state >>> related operations as was used for the initial SetClientID or ExchangeID. >>> >> >> That was not my impression. Where exactly does it say this.? >> >> Also, how does this relate to the discussion of state protection in >> rfc8881? >> >> For kerberized NFSv4 mounts, the client has typically handled this in one >>> of two ways: >>> >>> A - A host based principal of the form "host/FQDN-of-client" is created >>> on the KDC. A keytab entry for this principal is then generated and >>> put in the client's default keytab file via some secure means. >>> This approach works, but does have some limitations: >>> - The client must have a well defined, fixed, DNS host name. >>> This implies that it does not work for any mobile device. >>> - The administrative overhead of doing this seems to have discouraged >>> some from doing Kerberized NFSv4 mounts and instead choosing to >>> use insecure AUTH_SYS. >>> >>> B - The client's "root" user does a kinit for a Kerberos user principal >>> to acquire a valid TGT and then does a mount, using that >>> TGT/principal. >>> This approach works, but also has limitations: >>> - When the user principal's TGT expires, the mount stops working. >>> - The mount can only be done manually, after doing a "kinit". >>> - The procedure for doing this is rather convoluted for the Linux >>> NFSv4 client. >>> >>> The fact that this tends to be administratively "awkward" is not >>> surprising, since Kerberos was designed for user authentication >>> and not machine (or peer, if you prefer) authentication. >>> >> >> Yes. >> >> We now have RPC-with-TLS. This can provide machine authentication, >>> but requiring the NFSv4 client to present a valid X.509 certificate >>> during TLS handshake. It also provides on-the-wire encryption, >>> obviating any need for RPCSEC_GSS integrity or privacy. >>> >> >> That is explicitly discussed in *draft-ietf-nfsv4-security*, which >> hasn't yet emerged from an adoption call that started in October. We need >> to get this completed soon. I'll follow up with the other wg chairs. >> >> However, it does not provide user authentication and, as such, can >>> result in mounts using insecure AUTH_SYS. >>> >> >> The current assumption, in the pending rfc5661bis-related documents, is >> that the security of using AUTH_SYS is substantially enhanced when it is >> used with peer authentication since you have some basis for determining >> that the client is trustworthy in sending uid values. That's better but it >> still leaves AUTH_SYS somewhat insecure. >> >> >>> So, what I have test coded for FreeBSD combines the use of RPC-with-TLS >>> for privacy and machine authentication with the use of >>> RPCSEC_GSS/Kerberos >>> for user authentication. This did not require any on-the-wire protocol >>> changes, >>> >> >> I get the impression that it might require some limited set of >> specification changes. >> > >> but did require some implementation work on both client and server. >>> >> Sort of, yes. My current implementation uses SP_NONE and, as such, works > against an unmodified FreeBSD or Linux server. However, the servers are not > enforcing the "requires RPC-with-TLS plus peer authentication" requirement. > > It appears to implement that requirement, a new value for > state_protect_how4 > would need to be defined (SP4_PEER_AUTH ?). > I think this could be added as a new case for both state_protect4_a and > state_protect4_r with state_protect_ops in the union's case. > Its semantics would be similar to SP4_MACH_CRED, but would allow AUTH_SYS > to be used, so long as the compound was received on a RPC-with-TLS > connection > that has been peer authenticated during TLS handshake. > I think that a simpler way to do this which avoids defining a new value for state_protect_how4 would be to have the server require use of RPC-with-TLS including peer authentication for all connections from a given client (checked via client IP host address) when doing non-NULL RPCs. I think? we have agreed that this is something reasonable for a server to do, based on a server sysadmin's configuration. Then, requiring RPC-with-TLS that peer authenticates successfully, combined with SP4_NONE should achieve what I am trying to do. This avoids the hassle of defining a new state_protect_how4 value and allows it to be done for NFSv4.1 and 4.2. For NFSv4.0, the equivalent to SP4_NONE could be implemented by the server to achieve the same result. rick > > >> >> So, if this prototype requires implementation work on both the FreeBSD >> client and server, what is the interoperability story when your client >> accesses a Linux server? >> > Turns out that it does work (when modified to not use TLS, since the Linux > server does not do that yet). The use of SP4_NONE against the Linux server > allows the operations needed to establish the mount to work and the first > user access to the mount (with a valid Kerberos TGT) fills in the > additional > mount information needed. > > The Linux client will not do a mount to the FreeBSD server when it does not > have any Kerberos TGT nor host based keytab entry. > > rick > >> >> >>> For the NFSv4 server: >>> 1 - Allow compound RPCs that consist entirely of state maintenance >>> operations >>> (ExchangeID, CreateSession, ReclaimComplete, Sequence, >>> DestroySession, >>> DestroyClient, SetClientID, SetClientIDConfirm, Renew, FreeStateID, >>> ReleaseLockOwner, BindConnectionToSession) >>> to be performed using AUTH_SYS credentials with the same uid >>> (usually 0) >>> if the client is using RPC-with-TLS and has machine authenticated >>> during >>> TLS handshake (via a X.509 certificate). >>> 2 - Require all other compound RPCs (ones making use of a CFH) to be >>> performed >>> with RPCSEC_GSS/Kerberos credentials. >>> This turned out to be fairly simple for the FreeBSD NFSv4 server, since >>> it >>> already had a separate function to authenticate #1 vs #2 RPCs. >>> >>> This allows a client to use Kerberos for user authentication, but does >>> not >>> require the client to do (A) or (B) above. >>> Implementation of this in the FreeBSD NFSv4 client turned out to be >>> somewhat >>> more involved than the server changes. The FreeBSD NFSv4 client does a >>> compound RPC that looks like: >>> - PutRootFH, { Lookup, Lookup,...Lookup }, GetFH >>> For example, if the mount is specified as nfsv4-server:/export/vol1, >>> the above would be: >>> PutRootFH, Lookup export, Lookup vol1, GetFH >>> This RPC is normally done during mount. To make this scheme work, the >>> above RPC needed to be deferred if the server replied NFS4ERR_WRONGSEC >>> when attempted using AUTH_SYS credential. >>> >> >> An alternative would be to allow LOOKUP of export points to be done with >> AUTH_SYS. More work for the server but less for the client. >> >> Then, the above RPC is attempted again whenever a user process attempts >>> to access the mounted file system. When one of these access attempts >>> is done by a user with a valid TGT for their user principal, the attempt >>> succeeds and the mount then knows the actual file handle for the >>> mount point. >>> >>> Deferring acquisition of the mount point file handle required that a >>> "fake" >>> one be created during the mount operation, which is then replaced when >>> a retry of the above RPC succeeds. This is obviously a FreeBSD specific >>> implementation detail, but other clients might perform in a similar way. >>> >>> In summary, this implementation allows the use of Kerberos for user >>> authentication without the need to (mis)use Kerberos for machine >>> authentication. >>> Machine authentication is handled by RPC-with-TLS, along with on-the-wire >>> encryption (which may be supported by offload hardware). >>> It is hoped that this might simplify Kerberos deployment for NFSv4 mounts >>> to the point that it would be more widely adopted. >>> >> >> It might but the experience is such that we can't depend on that >> happening. >> >> >>> So, does this sound like a good plan? >>> >> >> It sounds like a worthwhile approach. >> >> >>> In particular, are the Linux folk interested in implementing this? >>> >> >> I don't know. >> >> In any case, we should discuss the spec implications at the IETF116 >> meeting and see if this needs changes to go into >> *draft-ietf-nfsv4-security-01*. That requires that we get the -00 out >> within the next few weeks >> >> >>> Thanks for any comments, rick >>> >>> _______________________________________________ >>> nfsv4 mailing list >>> nfsv4@ietf.org >>> https://www.ietf.org/mailman/listinfo/nfsv4 >>> >>
- [nfsv4] RFC: Combining RPC-with-TLS and sec=krb5 Rick Macklem
- Re: [nfsv4] RFC: Combining RPC-with-TLS and sec=k… David Noveck
- Re: [nfsv4] RFC: Combining RPC-with-TLS and sec=k… Chuck Lever III
- Re: [nfsv4] RFC: Combining RPC-with-TLS and sec=k… Rick Macklem
- Re: [nfsv4] RFC: Combining RPC-with-TLS and sec=k… Rick Macklem
- Re: [nfsv4] RFC: Combining RPC-with-TLS and sec=k… Rick Macklem