IETF Logo Mail Archive

[nfsv4] Re: Feedback on user ID for any bis work

Pali Rohár <pali-ietf-nfsv4@ietf.pali.im> Fri, 16 August 2024 16:46 UTC

Return-Path: <pali-ietf-nfsv4@ietf.pali.im>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9229C14F6A8 for <nfsv4@ietfa.amsl.com>; Fri, 16 Aug 2024 09:46:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.005
X-Spam-Level:
X-Spam-Status: No, score=-2.005 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pali.im
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XJ_WajqU176m for <nfsv4@ietfa.amsl.com>; Fri, 16 Aug 2024 09:46:42 -0700 (PDT)
Received: from pali.im (mail.pali.im [IPv6:2a02:2b88:6:5cc6::2a]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6CF9C14F738 for <nfsv4@ietf.org>; Fri, 16 Aug 2024 09:46:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pali.im; s=mail; t=1723826795; i=@pali.im; bh=pCvT+ypVMH18wp4VWc8Alz6A5n2/GgnsRHBb6dfms48=; h=Date:From:To:Subject:References:In-Reply-To:From; b=uTUlvdtN4Wb6bdYq7xE/SZFf/E04xq7Y+y6e5LltuTHY+VOJgZxE13Iv1yZvd8uWl FtdiZgGiHGfuaBl3WERg5Tih0PtqqncYshtdCQH7+LcQDuXhrWqvWiKx7mli9sJjtJ fb8LK3/BaZgsvtJVKRhs51UGhJv8fybKh8YZ7ZmbAFY1F5NRDjAijPpk5Pahv2YF4D pjK2p/F3wwOSmJ4YqCETtqShjhP1/egS8w78laguf+bETUdxroAnFHDxlyMJh9bvd5 VTB+kj3OfUDUrVG5CM3LSAkCAMKRhVsAVFLkBWbY2VRgN7CUEXHSfv9OxVrLoJFjYF dcUeldNl0fupw==
Received: by pali.im (Postfix) id 756BD7B7; Fri, 16 Aug 2024 18:46:35 +0200 (CEST)
Date: Fri, 16 Aug 2024 18:46:35 +0200
From: Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>
To: nfsv4@ietf.org
Message-ID: <20240816164635.ne5ahjhkjxynlxjx@pali>
References: <88CFBD80-2BAA-43AE-8AA5-C032C2761266@cert.org> <DCD380BF-74D5-4FED-94EA-EC995A9DB164@oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <DCD380BF-74D5-4FED-94EA-EC995A9DB164@oracle.com>
User-Agent: NeoMutt/20180716
Message-ID-Hash: BH2AWHUHV56FH6H754ZEL4DKKX7KLJTI
X-Message-ID-Hash: BH2AWHUHV56FH6H754ZEL4DKKX7KLJTI
X-MailFrom: pali-ietf-nfsv4@ietf.pali.im
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Feedback on user ID for any bis work
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/gidcOfDAQWAocWaHWFGcwMZK7pE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

On Friday 16 August 2024 16:26:09 Chuck Lever III wrote:
> > On Aug 16, 2024, at 11:39 AM, Chris Inacio <inacio@cert.org> wrote:
> > 
> > Dave, All,
> > 
> > INDIVIDUAL CONTRIBUTOR HAT ON - NOT CHAIR
> > 
> > We need this super brief conversation in one of the interim meetings about how user identity is communicated across NFSv4, and there are 2 options, UID/GID ‘integer's and then loosely defined ‘string’.  So I’ve been digging into this and I would say, most definitely, do NOT remove the string.  So what I can see so far, is that UID/GID numbers are used when auth ‘sys’ is the selected mechanism, where current the string is used when auth is tied to GSS-API.  As far as I can tell, the kerberos principal name should be the string in the field.  I certainly don’t yet have a full understanding about how everything is connected together.  (Just sending the principal is nice and everything, but you want to be able to verify it, and HOLY RAT HOLE ROBIN is that confusing in practice.)
> > 
> > So, the thing I’m trying to make sense of, how hard would it be to support TLS identities (X.509 certs really) instead of Kerberos.
> 
> A perhaps subtle distinction here:
> 
> The current RPC-with-TLS protocol uses x.509 explicitly only for authenticating
> network peers (ie, hosts). RFC 9289 even says "not for user authentication". So
> I think the term "TLS" here is probably misplaced.
> 
> You instead want to invent a new RPC security flavor or flavors that authenticates
> users (or, dare I say it, to extend GSSAPI to handle this for us) via an x.509
> certificate, or OAuth, or such like. Nothing to do with transport layer security,
> which doesn't know from users.

Hello,
There is RFC 7055 which defines EAP as GSS-API mechanism. And IIRC EAP
has a way for user authentication based on x.509 certificate. So maybe
this could be a way? EAP is already widely used for wifi authentication.
But I have never heard about any usage of EAP in GSS-API.

> 
> > That also opens a fairly different control domain.  Kerberos is well suited to local enterprise control.  You can do that with X.509, but really, my anecdotal experience says, X.509 certs for enterprise are too heavy a lift, but they’re the answer when you want a more global identity.  That raises the question of target users of NFS protocol.  And if we’re (or maybe that’s just me doing it?) opening a wound there – then maybe we want to be able to support authentication and authorization that is more cloud compatible, which is potentially more than X.509.
> > 
> > These are just thoughts and feedback on some discussions.
> > 
> > Chris
> > 
> > 
> > P.S.
> > 
> > The complexity of auth is BONKERS!!!  So to kind of dig into this I have a freenas server running with ZFS as the backing store.  It’s the FreeBSD variant 13.0 stream.  I then deployed an LDAP and Kerberos solution (freeipa on Fedora) to have that running on an RPi4.  (This is all in my house, by the way.) For clients, I have a _real_ menagerie of machines: Mac OS 14.6, RPi Raspbian, FreeBSD, and Win 11.  For fun, that means NFS versions running are:  Mac OS 14.0 - NFSv4.0, Raspbian/Linux NFSv4.2, FreeBSD 13.x - NFSv4.1, Win 11 - NFSv3.  I can get most of the unixen to at least get a Kerberos user principal TGT.  Machine-to-machine, host principals are still a bit of a challenge.  The Windows machine seemingly would rather piss in my Cheerios than do what I want.  (What engineer where convinced their UI people to be able to give error messages as ‘1450 resource unavailable’ and then you need to type `net helpmsg 1450` to get an actual error message, which is completely useless anyway?  That person is either my hero or the devil.) And while Windows doesn’t want to cooperate at all, the unixen management of authentication identities is its own entire disjoint universe!  ‘SSSD' on Linux, ‘nfsuserd' on FreeBSD, and I haven’t even tried to cross that bridge on Mac.  So I’m still trying to get this collection of stuff to attempt to do full kerberos/gss-api negotiation on a mount.
> > 
> > 
> > Maybe this is why people run with auth sys!
> 
> No "maybe" about it, this /is/ why people stick with auth_sys.

I agree, mounting nfs share with kerberos is too complicated.
On Linux you can replace sssd by other looks but it is still
complicated, and not such easy as auth_sys.

v2.39.1 | Report a Bug | By Email | System Status