IETF Logo Mail Archive

Re: [nfsv4] RFC: Combining RPC-with-TLS and sec=krb5

David Noveck <davenoveck@gmail.com> Sun, 01 January 2023 13:09 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 602A4C14CF01 for <nfsv4@ietfa.amsl.com>; Sun, 1 Jan 2023 05:09:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id efz1GPD2vjOm for <nfsv4@ietfa.amsl.com>; Sun, 1 Jan 2023 05:08:57 -0800 (PST)
Received: from mail-oa1-x2b.google.com (mail-oa1-x2b.google.com [IPv6:2001:4860:4864:20::2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85513C14F73D for <nfsv4@ietf.org>; Sun, 1 Jan 2023 05:08:57 -0800 (PST)
Received: by mail-oa1-x2b.google.com with SMTP id 586e51a60fabf-1442977d77dso30122397fac.6 for <nfsv4@ietf.org>; Sun, 01 Jan 2023 05:08:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=HYgU3drsOx12awKYI9oFI9bDDPZnArRjYbEHf3nsppE=; b=R8zo6m81zM4dbWn8rfxrgMk1L3WOleCMhO+LeBaJDygCHPObjOHusRxlpCGXk0uiEG Fzkit7dxThXL0T2YdIPh+PoL0Y5r9vrghcJsUirrY6N/HKf0U1eufajB+7DpfIvmJVM+ e519m92c8iCuSp/ETr6I1tZsRbcuPoQUTrR0aLlF4ITY68uF2/JHtTzpbZDCeCB91M/s PU4EwpPYNGdCKzz1WIkzrbnlKcG/gpMU7R8zzOvA35iOKTplreE/AhatzHYXo4uHCuEa RdCnQwnR4lTULtjtSjGugaW2GxNtYxgrKs+OG6Ie63pLGsPQ1EV45a2+0AVQ5jJSfppP GciQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HYgU3drsOx12awKYI9oFI9bDDPZnArRjYbEHf3nsppE=; b=58bp0D6Ac2Qp0uaotG65qMiv4o1nniy2nhofNd4NQ0hb4672NbKANts2teNlpGSVBQ Oth5Vu0rlcPT/nE6oNzBdofPghMu+VmdWxgNQykKeiJxflLWAangpC6hNlMfSCdqLT0g syQxHu5nrPlHRZji/T485QwXLKi7v6RGvKtZwG39VLrK7ypEODIEkUH/vKYuFDEuFziX qGJqy5RnHkQeKVaJgC8Cfn2EngyUcBkdCBo+OEpV3PDHcY0viyhWyUoL0rZnOfat93mu Y61XUARKyjBeyHEGEgqt5QkFb/VI+HSLW5yYn6yL2Cu+z07gZmjUg/NGfFbhnxExSDB5 1HeA==
X-Gm-Message-State: AFqh2kpRaTC+Phdi+2ylv1MlTtYI50rKKh6uOow4ufe0N/w1ZvAa14/7 s1grX3Ts3b5C9ndgPpJa4csSmAL9wklm3Al+zpvbJY7y
X-Google-Smtp-Source: AMrXdXuIi4vFpRC9CZDIApkmKeRwW/JBVAU16roIWCnbbDylfPfrmv/qLMnvVKUQnthlJFuhxwWFKUY10sfyl5MA8Ok=
X-Received: by 2002:a05:6870:883:b0:14f:ddb4:4dd5 with SMTP id fx3-20020a056870088300b0014fddb44dd5mr1336852oab.98.1672578536611; Sun, 01 Jan 2023 05:08:56 -0800 (PST)
MIME-Version: 1.0
References: <CAM5tNy7A41ss3m_Q4+XSnUF3frbe9YO-4EzMUA1_k_wyz+e12Q@mail.gmail.com>
In-Reply-To: <CAM5tNy7A41ss3m_Q4+XSnUF3frbe9YO-4EzMUA1_k_wyz+e12Q@mail.gmail.com>
From: David Noveck <davenoveck@gmail.com>
Date: Sun, 01 Jan 2023 08:08:45 -0500
Message-ID: <CADaq8jcDcbDsvS3WnJo1jXO4bBFwT+smT4Yr5GREcu4-TCinvg@mail.gmail.com>
To: Rick Macklem <rick.macklem@gmail.com>
Cc: NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000088a29d05f1338936"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/x5GjekOy5x4iZ2v0YnxK2Fc36gI>
Subject: Re: [nfsv4] RFC: Combining RPC-with-TLS and sec=krb5
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jan 2023 13:09:01 -0000

On Sun, Jan 1, 2023, 6:51 AM Rick Macklem <rick.macklem@gmail.com> wrote:

> First, some background...
>
> The NFSv4 RFCs require that the same principal be used for all state
> related operations as was used for the initial SetClientID or ExchangeID.
>

That was not my impression.  Where exactly does it say this.?

Also, how does this relate to the discussion of state protection in rfc8881?

For kerberized NFSv4 mounts, the client has typically handled this in one
> of two ways:
>
> A - A host based principal of the form "host/FQDN-of-client" is created
>     on the KDC.  A keytab entry for this principal is then generated and
>     put in the client's default keytab file via some secure means.
>     This approach works, but does have some limitations:
>     - The client must have a well defined, fixed, DNS host name.
>       This implies that it does not work for any mobile device.
>     - The administrative overhead of doing this seems to have discouraged
>       some from doing Kerberized NFSv4 mounts and instead choosing to
>       use insecure AUTH_SYS.
>
> B - The client's "root" user does a kinit for a Kerberos user principal
>     to acquire a valid TGT and then does a mount, using that TGT/principal.
>     This approach works, but also has limitations:
>     - When the user principal's TGT expires, the mount stops working.
>     - The mount can only be done manually, after doing a "kinit".
>     - The procedure for doing this is rather convoluted for the Linux
>       NFSv4 client.
>
> The fact that this tends to be administratively "awkward" is not
> surprising, since Kerberos was designed for user authentication
> and not machine (or peer, if you prefer) authentication.
>

Yes.

We now have RPC-with-TLS.  This can provide machine authentication,
> but requiring the NFSv4 client to present a valid X.509 certificate
> during TLS handshake.  It also provides on-the-wire encryption,
> obviating any need for RPCSEC_GSS integrity or privacy.
>

That is explicitly discussed in *draft-ietf-nfsv4-security*, which hasn't
yet emerged from an adoption call that started in October.  We need to get
this completed soon.  I'll follow up with the other wg chairs.

However, it does not provide user authentication and, as such, can
> result in mounts using insecure AUTH_SYS.
>

The current assumption, in the pending rfc5661bis-related documents, is
that the security of using AUTH_SYS is substantially enhanced when it is
used with peer authentication since you have some basis for determining
that the client is trustworthy in sending uid values.  That's better but it
still leaves AUTH_SYS somewhat insecure.


> So, what I have test coded for FreeBSD combines the use of RPC-with-TLS
> for privacy and machine authentication with the use of RPCSEC_GSS/Kerberos
> for user authentication.  This did not require any on-the-wire protocol
> changes,
>

I get the impression that it might require some limited set of
specification changes.

but did require some implementation work on both client and server.
>

So, if this prototype requires implementation work on both the FreeBSD
client and server, what is the interoperability story when your client
accesses a Linux server?


> For the NFSv4 server:
> 1 - Allow compound RPCs that consist entirely of state maintenance
> operations
>     (ExchangeID, CreateSession, ReclaimComplete, Sequence, DestroySession,
>      DestroyClient, SetClientID, SetClientIDConfirm, Renew, FreeStateID,
>      ReleaseLockOwner, BindConnectionToSession)
>     to be performed using AUTH_SYS credentials with the same uid (usually
> 0)
>     if the client is using RPC-with-TLS and has machine authenticated
> during
>     TLS handshake (via a X.509 certificate).
> 2 - Require all other compound RPCs (ones making use of a CFH) to be
> performed
>     with RPCSEC_GSS/Kerberos credentials.
> This turned out to be fairly simple for the FreeBSD NFSv4 server, since it
> already had a separate function to authenticate #1 vs #2 RPCs.
>
> This allows a client to use Kerberos for user authentication, but does not
> require the client to do (A) or (B) above.
> Implementation of this in the FreeBSD NFSv4 client turned out to be
> somewhat
> more involved than the server changes.  The FreeBSD NFSv4 client does a
> compound RPC that looks like:
> - PutRootFH, { Lookup, Lookup,...Lookup }, GetFH
>   For example, if the mount is specified as nfsv4-server:/export/vol1,
>   the above would be:
>   PutRootFH, Lookup export, Lookup vol1, GetFH
> This RPC is normally done during mount.  To make this scheme work, the
> above RPC needed to be deferred if the server replied NFS4ERR_WRONGSEC
> when attempted using AUTH_SYS credential.
>

An alternative would be to allow LOOKUP of export points to be done with
AUTH_SYS.  More work for the server but less for the client.

Then, the above RPC is attempted again whenever a user process attempts
> to access the mounted file system.  When one of these access attempts
> is done by a user with a valid TGT for their user principal, the attempt
> succeeds and the mount then knows the actual file handle for the
> mount point.
>
> Deferring acquisition of the mount point file handle required that a "fake"
> one be created during the mount operation, which is then replaced when
> a retry of the above RPC succeeds.  This is obviously a FreeBSD specific
> implementation detail, but other clients might perform in a similar way.
>
> In summary, this implementation allows the use of Kerberos for user
> authentication without the need to (mis)use Kerberos for machine
> authentication.
> Machine authentication is handled by RPC-with-TLS, along with on-the-wire
> encryption (which may be supported by offload hardware).
> It is hoped that this might simplify Kerberos deployment for NFSv4 mounts
> to the point that it would be more widely adopted.
>

It might but the experience is such that we can't depend on that happening.


> So, does this sound like a good plan?
>

It sounds like a worthwhile approach.


> In particular, are the Linux folk interested in implementing this?
>

I don't know.

In any case, we should discuss the spec implications at the IETF116 meeting
and see if this needs changes to go into *draft-ietf-nfsv4-security-01*.
That requires that we get the -00 out within the next few weeks


> Thanks for any comments, rick
>
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4
>

v2.23.0 | Report a Bug | By Email