[nfsv4] Fwd: Re: Feedback on user ID for any bis work

David Noveck <davenoveck@gmail.com> Fri, 06 September 2024 12:40 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1FBFC151525; Fri, 6 Sep 2024 05:40:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SYDqxz3MGrdj; Fri, 6 Sep 2024 05:40:27 -0700 (PDT)
Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF40EC151068; Fri, 6 Sep 2024 05:40:26 -0700 (PDT)
Received: by mail-ot1-x333.google.com with SMTP id 46e09a7af769-70f6a1afc90so913172a34.3; Fri, 06 Sep 2024 05:40:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725626426; x=1726231226; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=yKetxy9zM2JPdgXloSENCP2s8OTZj0qS633lvtAmNUE=; b=IV/I6sFs5nJ5oPcX+Mx2BPrRiesbBPWfh6SiO7G7RE44209H73hzhbdzK30bpsG6nz eAW5/cbH8NC2EldN6fgOpNL65hv7j/UZ8vsmdk/4AbtkLS3d/8qE91liylyyCfLJyNUz JFX3TO0k3/YEv7W+0qG0LmcfMBJkHtxWSJrbE4J0Ef9bvJ0guLoJLxaB5nsfKNOo4NBX qEGQTIE7dtBdBRjdhkQB5AbShLElyJ6hOQ8//h6i0x+mc9c/k3mqAoPEp1llASxW/HUc 8RlrEN0BmAeIXeIiG5b0JIFr9auopySn+I3uYbBjXBCzoTVeRJU0TeFG1b1YKvy6e6q/ jQ0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725626426; x=1726231226; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=yKetxy9zM2JPdgXloSENCP2s8OTZj0qS633lvtAmNUE=; b=Z4mcAgHHU06ygyPnJfHG5FFEdYjaqRKeahAo/uyNgJxPcGA7N21PyA/JiiW8adOqc+ aWsxR5kDRJl0f/KTD6cKm6LMQFvsb2TqhRK21tDnmmAC9DV0ujvKtIGawGfRX8yZGF28 NdqTWDMNmhb74TECwU3FxSmhWiF4VivdezJ447MpsJL/uCIeda98/m+kOZFncCyxpPC/ ToALNB0dwtnc+fWdVHVik7wtNc/JfsMHh2rDKVugwnz0SmYPLlONRT7MuEpzdOIOSUD4 GXPr+xPxW9uV+QSdQKakmiwn7GL4IhK+oXq7UpI7iXei1+piI7yz1aga7Jki5aZQWosQ HRTw==
X-Forwarded-Encrypted: i=1; AJvYcCXy9bjA2QdjjPP8tLbTEoL7rbcasz42PRC7mMgMp4HlWKfbgHFAyaTm6IgawGxe0d5UNnVtvmf0hXJCtBw=@ietf.org
X-Gm-Message-State: AOJu0YylJqC14nVMyM8TVLvqqLD5r6Xi9WREtY4o69M4HdinhB0kVVgz VqvPi5A2/Ojzotr+kS/SkwrpwLkW8iSkvL4nG3OpRZ7392K9M376Gg6i47OpXOD7IiCMYUQMZH9 h6nA6qb6lxjS+Bw/yuMnGpo1mjm8TJ/5e
X-Google-Smtp-Source: AGHT+IEDXM/Zge+p7nvOIqcFtCjXgHWK2u/+gts+35XdjFkTFWLKKsMzDC197j/PbAjIoLk13fvrzzC1/U2CygYKGRs=
X-Received: by 2002:a05:6830:6f87:b0:704:8660:2672 with SMTP id 46e09a7af769-710cc26dd33mr2658813a34.25.1725626425722; Fri, 06 Sep 2024 05:40:25 -0700 (PDT)
MIME-Version: 1.0
References: <88CFBD80-2BAA-43AE-8AA5-C032C2761266@cert.org> <DCD380BF-74D5-4FED-94EA-EC995A9DB164@oracle.com> <CAN0SSYwrebn8Btzbi9142dr3pX1ViLf7FqDAd8aaOHxHercJNA@mail.gmail.com> <CADaq8jdiM9WOnobTV2tnicfLcCZXPFTZURsgFh512GyKaSOqGg@mail.gmail.com>
In-Reply-To: <CADaq8jdiM9WOnobTV2tnicfLcCZXPFTZURsgFh512GyKaSOqGg@mail.gmail.com>
From: David Noveck <davenoveck@gmail.com>
Date: Fri, 06 Sep 2024 08:40:14 -0400
Message-ID: <CADaq8jdiaqgQ24Kmke6kOG4kXg28qr2oQJnrFTDEVJ1=V3wLsg@mail.gmail.com>
To: NFSv4 <nfsv4@ietf.org>, nfsv4-chairs <nfsv4-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001ed521062172b6ab"
Message-ID-Hash: LI76J236BART6AZW3K4QF537RTWUNXK6
X-Message-ID-Hash: LI76J236BART6AZW3K4QF537RTWUNXK6
X-MailFrom: davenoveck@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Fwd: Re: Feedback on user ID for any bis work
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/zWkcsxAtO7gwrDidwm6gsXZi52w>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

---------- Forwarded message ---------
From: David Noveck <davenoveck@gmail.com>
Date: Fri, Sep 6, 2024 at 8:36 AM
Subject: Re: [nfsv4] Re: Feedback on user ID for any bis work
To: Mark Liam Brown <brownmarkliam@gmail.com>




On Fri, Sep 6, 2024 at 7:15 AM Mark Liam Brown <brownmarkliam@gmail.com>
wrote:

> On Fri, Aug 16, 2024 at 6:26 PM Chuck Lever III
> <chuck.lever=40oracle.com@dmarc.ietf.org> wrote:
> >
> >
> >
> > > On Aug 16, 2024, at 11:39 AM, Chris Inacio <inacio@cert.org> wrote:
> > >
> > > Dave, All,
> > >
> > > INDIVIDUAL CONTRIBUTOR HAT ON - NOT CHAIR
> > >
> > > We need this super brief conversation in one of the interim meetings


To have a conversation (super-brief or otherwise) at  "one of the interim
meetings", we actually have to have an interim meeting.

All jokes about Multiple Personality Disorder Aside, we need the chairs (of
which Chris is one, whatever hat he chooses to wear, if any, on any given
day) to actually schedule a meeting.   I'd like to know why these are not
happening.


> about how user identity is communicated across NFSv4, and there are 2
> options, UID/GID ‘integer's and then loosely defined ‘string’.


That's true.   The difference between rfc8881 and the current security
draft is that the numeric form is now a first-class citizen while
previously it was considered an unfortunate relic that needed to be tightly
controlled and interfere with the string which was considered the wave of
the future.

So I’ve been digging into this and I would say, most definitely, do NOT
> remove the string.


Nobody has suggested doing that and I have no intention of doing so.

So what I can see so far, is that UID/GID numbers are used when auth ‘sys’
> is the selected mechanism, where current the string is used when auth is
> tied to GSS-API.


That's what the security draft now says.   rfc8881 suggested the string
should be used all the time but was really unclear about how the client and
server could agree on a secure mapping that they shared.


> As far as I can tell, the kerberos principal name should be the string in
> the field.


Perhaps some clarification should be added in the next draft.


> I certainly don’t yet have a full understanding about how everything is
> connected together.


What needs to be added to the spec?


> (Just sending the principal is nice and everything, but you want to be
> able to verify it, and HOLY RAT HOLE ROBIN is that confusing in practice.)
>

I think Kerberos does that OK.  For auth_sys, it is not verified since the
server has to be trusted to a degree, and I don't see that changing in the
bis timeframe..

> > >
> > > So, the thing I’m trying to make sense of, how hard would it be to
> support TLS identities (X.509 certs really) instead of Kerberos.
> >
> > A perhaps subtle distinction here:
> >
> > The current RPC-with-TLS protocol uses x.509 explicitly only for
> authenticating
> > network peers (ie, hosts). RFC 9289 even says "not for user
> authentication".


Yes.


> So
> > I think the term "TLS" here is probably misplaced.
> >
>

Why?.  What term should we use?


> > You instead want to invent a new RPC security flavor or flavors that
> authenticates
> > users (or, dare I say it, to extend GSSAPI to handle this for us) via an
> x.509
> > certificate, or OAuth, or such like. Nothing to do with transport layer
> security,
> > which doesn't know from users.
>

If you want to do that, do that.  In any case, I don't think we will be
ready to tke on such a big
task as par of the bis.  As I said before, I am prepared to make a
provision to extend the string
in the bis and leave the actual extensions to later documents, once efforts
start in this
direction.

> >
> >
> > > That also opens a fairly different control domain.  Kerberos is well
> suited to local enterprise control.  You can do that with X.509, but
> really, my anecdotal experience says, X.509 certs for enterprise are too
> heavy a lift, but they’re the answer when you want a more global identity.
> That raises the question of target users of NFS protocol.  And if we’re (or
> maybe that’s just me doing it?) opening a wound there – then maybe we want
> to be able to support authentication and authorization that is more cloud
> compatible, which is potentially more than X.509.

> >
> > > These are just thoughts and feedback on some discussions.
>

I think we need some actions to go with these thoughts.  If not, we can
pick this
up later.  i.e. after the bis is close to submission.


> > >
> > > Chris
> > >
> > >
> > > P.S.
> > >
> > > The complexity of auth is BONKERS!!!  So to kind of dig into this I
> have a freenas server running with ZFS as the backing store.  It’s the
> FreeBSD variant 13.0 stream.  I then deployed an LDAP and Kerberos solution
> (freeipa on Fedora) to have that running on an RPi4.  (This is all in my
> house, by the way.) For clients, I have a _real_ menagerie of machines: Mac
> OS 14.6, RPi Raspbian, FreeBSD, and Win 11.  For fun, that means NFS
> versions running are:  Mac OS 14.0 - NFSv4.0, Raspbian/Linux NFSv4.2,
> FreeBSD 13.x - NFSv4.1, Win 11 - NFSv3.  I can get most of the unixen to at
> least get a Kerberos user principal TGT.  Machine-to-machine, host
> principals are still a bit of a challenge.  The Windows machine seemingly
> would rather piss in my Cheerios than do what I want.  (What engineer where
> convinced their UI people to be able to give error messages as ‘1450
> resource unavailable’ and then you need to type `net helpmsg 1450` to get
> an actual error message, which is completely useless anyway?  That person
> is either my hero or the devil.) And while Windows doesn’t want to
> cooperate at all, the unixen management of authentication identities is its
> own entire disjoint universe!  ‘SSSD' on Linux, ‘nfsuserd' on FreeBSD, and
> I haven’t even tried to cross that bridge on Mac.  So I’m still trying to
> get this collection of stuff to attempt to do full kerberos/gss-api
> negotiation on a mount.
> > >
> > >
> > > Maybe this is why people run with auth sys!
> >
> > No "maybe" about it, this /is/ why people stick with auth_sys.
>
> But even auth_sys must support user@name on Windows, because Windows
> has no concept of uid/gid.


I don't understand.  If windows has no concept of uid/gid, how is it using
auth_sys?

authsys includes uids/gids in the header to identify the principal.


> The Windows NFS41 driver just sends the
> Windows domain\user converted to user@domain to the NFS server.
>

The NFS server, if it is using an fs that stores uid/gid in the inode, must
convert it to that form.  How are we assure that the client's and server's
mappings match and what does this mean for security?


>
> Mark
> --
> IT Infrastructure Consultant
> Windows, Linux
>
> _______________________________________________
> nfsv4 mailing list -- nfsv4@ietf.org
> To unsubscribe send an email to nfsv4-leave@ietf.org
>