IETF Logo Mail Archive

RE: [nfsv4] more on gss authentication for callback

Mike Eisler <mike@eisler.com> Thu, 30 October 2003 22:44 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA17771 for <nfsv4-archive@odin.ietf.org>; Thu, 30 Oct 2003 17:44:22 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AFLWM-0004ts-MF for nfsv4-archive@odin.ietf.org; Thu, 30 Oct 2003 17:44:02 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h9UMi23D018830 for nfsv4-archive@odin.ietf.org; Thu, 30 Oct 2003 17:44:02 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AFLWM-0004td-IW for nfsv4-web-archive@optimus.ietf.org; Thu, 30 Oct 2003 17:44:02 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA17734 for <nfsv4-web-archive@ietf.org>; Thu, 30 Oct 2003 17:43:50 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AFLWJ-0003xr-00 for nfsv4-web-archive@ietf.org; Thu, 30 Oct 2003 17:44:00 -0500
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1AFLWJ-0003xo-00 for nfsv4-web-archive@ietf.org; Thu, 30 Oct 2003 17:43:59 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AFLWL-0004rs-LZ; Thu, 30 Oct 2003 17:44:01 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AFLVt-0004oc-CX for nfsv4@optimus.ietf.org; Thu, 30 Oct 2003 17:43:33 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA17674 for <nfsv4@ietf.org>; Thu, 30 Oct 2003 17:43:21 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AFLVq-0003xM-00 for nfsv4@ietf.org; Thu, 30 Oct 2003 17:43:30 -0500
Received: from [207.230.99.20] (helo=eagle.sharedhosting.net) by ietf-mx with esmtp (Exim 4.12) id 1AFLVq-0003xE-00 for nfsv4@ietf.org; Thu, 30 Oct 2003 17:43:30 -0500
Received: from eisler.com (nat-198-95-226-230.netapp.com [198.95.226.230]) (authenticated bits=0) by eagle.sharedhosting.net (8.12.10/8.12.10) with ESMTP id h9UMguJA018722 for <nfsv4@ietf.org>; Thu, 30 Oct 2003 14:43:21 -0800 (PST)
Message-ID: <3FA193EB.4020307@eisler.com>
From: Mike Eisler <mike@eisler.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: nfsv4@ietf.org
Subject: RE: [nfsv4] more on gss authentication for callback
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: nfsv4-admin@ietf.org
Errors-To: nfsv4-admin@ietf.org
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/nfsv4/>
X-Original-Date: Thu, 30 Oct 2003 14:42:51 -0800
Date: Thu, 30 Oct 2003 14:42:51 -0800
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit

 > -----Original Message-----
 > From: Nicolas Williams [mailto:Nicolas.Williams@sun.com]
 > Sent: Thursday, October 30, 2003 2:16 PM
 > To: rick@snowhite.cis.uoguelph.ca
 > Cc: nfsv4@ietf.org
 > Subject: Re: [nfsv4] more on gss authentication for callback
 >
 >
 > On Thu, Oct 30, 2003 at 04:58:11PM -0500,
 > rick@snowhite.cis.uoguelph.ca wrote:
 > > First, thanks a lot for the good info. I now have some idea
 > of what to do.
 > > One case I am curious about:
 > > - The client authenticates to the server for SetClientID with
 > > 	target: nfs@<serverhost.domain>
 > > 	initiator: root (or root@REALM in Kerberos jargon)
 >                    ^^^^
 > 		   root@<clienthost.domain>
 > > then, can the server authenticate the callback with
 > > 	target: root
 >                 ^^^^
 > 		root@<clienthost.domain>
 > > 	initiator: nfs@<serverhost.domain>	??
 >
 > The client has to have an acceptor credential[1] for
 > root@<clienthost.domain>.
 >
 > [1]  In Solaris SEAM, MIT krb5 and Heimdal parlance this
 > means having a
 >      keytab entry for root@<clienthost.domain>.

I can imagine a Kerberos V5 implementation that
caches the user's Kerberos password from kinit, and uses it
to produce the quasi-keytab entry for the purpose of user-to-user
Kerberos V5 authentication. It would not surprise me if
there is one today. But yes, today, for UNIX/Linux systems, it does
mean machine creds, and not user creds are the only ones that can be
used for SETCLIENTID over krb5.

 > Will it work?  For the Kerberos V GSS-API mechanis, yes.  For
 > LIPKEY, no.

Why not? Say the client and server each have access to a passwd database
kept in NIS or LDAP. Each NFS client and server has an entry in the database.
When the server makes a callback to the client, it supplies the server's
"user" name and password over the SPKM-3 protected session. This requires
each client to have an SPKM-3 private key and certificate. Which is why, the NFSv4
RFC3530 notes that since callbacks over LIPKEY require certificates on the client
and server, it is permissble for the server to issue the callback with pure SPKM-3,
and that the client SHOULD issue the SETCLIENTID with pure SPKM-3 (if wants callbacks).

So it works, but it is not sensible to do uses LIPKEY for callbacks.





_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email