IETF Logo Mail Archive

Re: [nfsv4] RFC: Combining RPC-with-TLS and sec=krb5

Rick Macklem <rick.macklem@gmail.com> Tue, 03 January 2023 01:04 UTC

Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A846DC152579 for <nfsv4@ietfa.amsl.com>; Mon, 2 Jan 2023 17:04:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WlxhOUQfFmMX for <nfsv4@ietfa.amsl.com>; Mon, 2 Jan 2023 17:04:33 -0800 (PST)
Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCB0CC152588 for <nfsv4@ietf.org>; Mon, 2 Jan 2023 17:04:33 -0800 (PST)
Received: by mail-pj1-x1029.google.com with SMTP id o1-20020a17090a678100b00219cf69e5f0so34379296pjj.2 for <nfsv4@ietf.org>; Mon, 02 Jan 2023 17:04:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=SsjXcyY3BalmfCFO6Mf+r73ve7cQlpQozn5FZsUVICo=; b=HnXVms8M7tpejROmNpPJpq0nAM6o8of56EQmEzoJs+I32NzaZnZfdp5ECGtEjtuFUo MrwjT8NE11i/2wBJ6+qG89s4q6OZ0YkTyd625u137WZnjgLK1ICPo4JGrjZ+Xk0XMpO9 /kvxOf9Q29XosRqf9uajlXBxNFLigx69sxY9AEVLSdGNSSDin/esa5qKaEZBZxWmgR4D zMzK6Usfdsywc5qoAGcTMNojpUWUEYwpRruWHdKbYe5q0AFyi5SO0L6qYUqi5/ZBiidt 1WafTYjNETv+sVFF0hcn2q/0yRN8GPrs62mWpemEDCpkvVkd0igouF1bJliY0DTUb/ya wflw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=SsjXcyY3BalmfCFO6Mf+r73ve7cQlpQozn5FZsUVICo=; b=cbEKGRTf0WCS3QjRR+YIdCBsZg9w1HSR/WENB1R8f9Lvp+jFJlZ0F+sz8hAiB0RCfS 08665vzC5ne4l+NQ8AqSMlvgcubyQyhyiisrqn8ZYbqcG8tkdCi35XvNuakWZoLaf311 gNCG9/lIi+8+N5rytfzsYOLRLzA7iU1aBj2CSDBpNXMXM1jJedYLNjAamc4db60hH8NX dMZiP6RqJmh/Kq3p7o9bj8T3KSMDrxWdhEq4/xxv1/EavooDRQaxp+XnI+dNna0AmheS +gz0qLhab/bLQkHXu0k16NjcEoY7sIh0RtTSEUAdFKqC0SnIhD2t9UhnUu4PvNoEhP7D Rcog==
X-Gm-Message-State: AFqh2ko48nf+cNqLJVAMC5hv5n2bMAP5mPbrkxTsaHrm8OSPmvHxBuLG vlFG3HuGRenNf7xIK1X6LfM5ATK/4J/7ox1ujA==
X-Google-Smtp-Source: AMrXdXvQlFYA0CSxrcenfe8+GoN1cbEArhEAAajAdTH2DXKpjnaeWUV4E0pRiXXegjJsyKURQsVohBpad2yEm3I4eLw=
X-Received: by 2002:a17:902:ef8d:b0:192:7363:b004 with SMTP id iz13-20020a170902ef8d00b001927363b004mr1659332plb.112.1672707872858; Mon, 02 Jan 2023 17:04:32 -0800 (PST)
MIME-Version: 1.0
References: <CAM5tNy7A41ss3m_Q4+XSnUF3frbe9YO-4EzMUA1_k_wyz+e12Q@mail.gmail.com> <CADaq8jcDcbDsvS3WnJo1jXO4bBFwT+smT4Yr5GREcu4-TCinvg@mail.gmail.com> <CAM5tNy4UXBWyAm2PMfU4AZz6-OryKuKSpyNcS=cEJueGjpWqdQ@mail.gmail.com>
In-Reply-To: <CAM5tNy4UXBWyAm2PMfU4AZz6-OryKuKSpyNcS=cEJueGjpWqdQ@mail.gmail.com>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Mon, 02 Jan 2023 17:04:19 -0800
Message-ID: <CAM5tNy7-b90wNo6fOxk3rNNM7U0_4jxxoDjoB94tuDvROrWg2A@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
Cc: NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009328de05f151a652"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/KtdkbMVe23_ae0ztoR_Q6gg8Vmc>
Subject: Re: [nfsv4] RFC: Combining RPC-with-TLS and sec=krb5
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2023 01:04:37 -0000

On Sun, Jan 1, 2023 at 4:47 PM Rick Macklem <rick.macklem@gmail.com> wrote:

>
>
> On Sun, Jan 1, 2023 at 5:08 AM David Noveck <davenoveck@gmail.com> wrote:
>
>>
>>
>> On Sun, Jan 1, 2023, 6:51 AM Rick Macklem <rick.macklem@gmail.com> wrote:
>>
>>> First, some background...
>>>
>>> The NFSv4 RFCs require that the same principal be used for all state
>>> related operations as was used for the initial SetClientID or ExchangeID.
>>>
>>
>> That was not my impression.  Where exactly does it say this.?
>>
>> Also, how does this relate to the discussion of state protection in
>> rfc8881?
>>
>> For kerberized NFSv4 mounts, the client has typically handled this in one
>>> of two ways:
>>>
>>> A - A host based principal of the form "host/FQDN-of-client" is created
>>>     on the KDC.  A keytab entry for this principal is then generated and
>>>     put in the client's default keytab file via some secure means.
>>>     This approach works, but does have some limitations:
>>>     - The client must have a well defined, fixed, DNS host name.
>>>       This implies that it does not work for any mobile device.
>>>     - The administrative overhead of doing this seems to have discouraged
>>>       some from doing Kerberized NFSv4 mounts and instead choosing to
>>>       use insecure AUTH_SYS.
>>>
>>> B - The client's "root" user does a kinit for a Kerberos user principal
>>>     to acquire a valid TGT and then does a mount, using that
>>> TGT/principal.
>>>     This approach works, but also has limitations:
>>>     - When the user principal's TGT expires, the mount stops working.
>>>     - The mount can only be done manually, after doing a "kinit".
>>>     - The procedure for doing this is rather convoluted for the Linux
>>>       NFSv4 client.
>>>
>>> The fact that this tends to be administratively "awkward" is not
>>> surprising, since Kerberos was designed for user authentication
>>> and not machine (or peer, if you prefer) authentication.
>>>
>>
>> Yes.
>>
>> We now have RPC-with-TLS.  This can provide machine authentication,
>>> but requiring the NFSv4 client to present a valid X.509 certificate
>>> during TLS handshake.  It also provides on-the-wire encryption,
>>> obviating any need for RPCSEC_GSS integrity or privacy.
>>>
>>
>> That is explicitly discussed in *draft-ietf-nfsv4-security*, which
>> hasn't yet emerged from an adoption call that started in October.  We need
>> to get this completed soon.  I'll follow up with the other wg chairs.
>>
>> However, it does not provide user authentication and, as such, can
>>> result in mounts using insecure AUTH_SYS.
>>>
>>
>> The current assumption, in the pending rfc5661bis-related documents, is
>> that the security of using AUTH_SYS is substantially enhanced when it is
>> used with peer authentication since you have some basis for determining
>> that the client is trustworthy in sending uid values.  That's better but it
>> still leaves AUTH_SYS somewhat insecure.
>>
>>
>>> So, what I have test coded for FreeBSD combines the use of RPC-with-TLS
>>> for privacy and machine authentication with the use of
>>> RPCSEC_GSS/Kerberos
>>> for user authentication.  This did not require any on-the-wire protocol
>>> changes,
>>>
>>
>> I get the impression that it might require some limited set of
>> specification changes.
>>
>
>> but did require some implementation work on both client and server.
>>>
>> Sort of, yes.  My current implementation uses SP_NONE and, as such, works
> against an unmodified FreeBSD or Linux server. However, the servers are not
> enforcing the "requires RPC-with-TLS plus peer authentication" requirement.
>
> It appears to implement that requirement, a new value for
> state_protect_how4
> would need to be defined (SP4_PEER_AUTH ?).
> I think this could be added as a new case for both state_protect4_a and
> state_protect4_r with state_protect_ops in the union's case.
> Its semantics would be similar to SP4_MACH_CRED, but would allow AUTH_SYS
> to be used, so long as the compound was received on a RPC-with-TLS
> connection
> that has been peer authenticated during TLS handshake.
>

I think that a simpler way to do this which avoids defining a new value
for state_protect_how4 would be to have the server require use of
RPC-with-TLS including peer authentication for all connections from
a given client (checked via client IP host address) when doing non-NULL
RPCs.
I think? we have agreed that this is something reasonable for a server to
do, based on a server sysadmin's configuration.

Then, requiring RPC-with-TLS that peer authenticates successfully, combined
with SP4_NONE should achieve what I am trying to do.

This avoids the hassle of defining a new state_protect_how4 value and allows
it to be done for NFSv4.1 and 4.2.
For NFSv4.0, the equivalent to SP4_NONE could be implemented by the server
to achieve the same result.

rick

>
>
>>
>> So, if this prototype requires implementation work on both the FreeBSD
>> client and server, what is the interoperability story when your client
>> accesses a Linux server?
>>
> Turns out that it does work (when modified to not use TLS, since the Linux
> server does not do that yet). The use of SP4_NONE against the Linux server
> allows the operations needed to establish the mount to work and the first
> user access to the mount (with a valid Kerberos TGT) fills in the
> additional
> mount information needed.
>
> The Linux client will not do a mount to the FreeBSD server when it does not
> have any Kerberos TGT nor host based keytab entry.
>
> rick
>
>>
>>
>>> For the NFSv4 server:
>>> 1 - Allow compound RPCs that consist entirely of state maintenance
>>> operations
>>>     (ExchangeID, CreateSession, ReclaimComplete, Sequence,
>>> DestroySession,
>>>      DestroyClient, SetClientID, SetClientIDConfirm, Renew, FreeStateID,
>>>      ReleaseLockOwner, BindConnectionToSession)
>>>     to be performed using AUTH_SYS credentials with the same uid
>>> (usually 0)
>>>     if the client is using RPC-with-TLS and has machine authenticated
>>> during
>>>     TLS handshake (via a X.509 certificate).
>>> 2 - Require all other compound RPCs (ones making use of a CFH) to be
>>> performed
>>>     with RPCSEC_GSS/Kerberos credentials.
>>> This turned out to be fairly simple for the FreeBSD NFSv4 server, since
>>> it
>>> already had a separate function to authenticate #1 vs #2 RPCs.
>>>
>>> This allows a client to use Kerberos for user authentication, but does
>>> not
>>> require the client to do (A) or (B) above.
>>> Implementation of this in the FreeBSD NFSv4 client turned out to be
>>> somewhat
>>> more involved than the server changes.  The FreeBSD NFSv4 client does a
>>> compound RPC that looks like:
>>> - PutRootFH, { Lookup, Lookup,...Lookup }, GetFH
>>>   For example, if the mount is specified as nfsv4-server:/export/vol1,
>>>   the above would be:
>>>   PutRootFH, Lookup export, Lookup vol1, GetFH
>>> This RPC is normally done during mount.  To make this scheme work, the
>>> above RPC needed to be deferred if the server replied NFS4ERR_WRONGSEC
>>> when attempted using AUTH_SYS credential.
>>>
>>
>> An alternative would be to allow LOOKUP of export points to be done with
>> AUTH_SYS.  More work for the server but less for the client.
>>
>> Then, the above RPC is attempted again whenever a user process attempts
>>> to access the mounted file system.  When one of these access attempts
>>> is done by a user with a valid TGT for their user principal, the attempt
>>> succeeds and the mount then knows the actual file handle for the
>>> mount point.
>>>
>>> Deferring acquisition of the mount point file handle required that a
>>> "fake"
>>> one be created during the mount operation, which is then replaced when
>>> a retry of the above RPC succeeds.  This is obviously a FreeBSD specific
>>> implementation detail, but other clients might perform in a similar way.
>>>
>>> In summary, this implementation allows the use of Kerberos for user
>>> authentication without the need to (mis)use Kerberos for machine
>>> authentication.
>>> Machine authentication is handled by RPC-with-TLS, along with on-the-wire
>>> encryption (which may be supported by offload hardware).
>>> It is hoped that this might simplify Kerberos deployment for NFSv4 mounts
>>> to the point that it would be more widely adopted.
>>>
>>
>> It might but the experience is such that we can't depend on that
>> happening.
>>
>>
>>> So, does this sound like a good plan?
>>>
>>
>> It sounds like a worthwhile approach.
>>
>>
>>> In particular, are the Linux folk interested in implementing this?
>>>
>>
>> I don't know.
>>
>> In any case, we should discuss the spec implications at the IETF116
>> meeting and see if this needs changes to go into
>> *draft-ietf-nfsv4-security-01*.  That requires that we get the -00 out
>> within the next few weeks
>>
>>
>>> Thanks for any comments, rick
>>>
>>> _______________________________________________
>>> nfsv4 mailing list
>>> nfsv4@ietf.org
>>> https://www.ietf.org/mailman/listinfo/nfsv4
>>>
>>

v2.23.0 | Report a Bug | By Email