From owner-freebsd-stable@FreeBSD.ORG Thu Feb 11 17:02:50 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 392BF1065746 for ; Thu, 11 Feb 2010 17:02:50 +0000 (UTC) (envelope-from dfr@rabson.org) Received: from itchy.rabson.org (router.rabson.org [80.177.232.241]) by mx1.freebsd.org (Postfix) with ESMTP id 9BDE48FC1E for ; Thu, 11 Feb 2010 17:02:49 +0000 (UTC) Received: from macpro.dyn.rabson.org (macpro.dyn.rabson.org [192.168.42.241]) by itchy.rabson.org (Postfix) with ESMTP id 357715C33; Thu, 11 Feb 2010 16:47:19 +0000 (GMT) Mime-Version: 1.0 (Apple Message framework v1077) Content-Type: text/plain; charset=us-ascii From: Doug Rabson In-Reply-To: <4B6D3A18.2030304@eng.auth.gr> Date: Thu, 11 Feb 2010 16:46:41 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <0DDBB542-5BCF-485B-ACF9-0EE977E74A92@rabson.org> References: <4B6BE7A2.6000402@eng.auth.gr> <4B6D3A18.2030304@eng.auth.gr> To: George Mamalakis X-Mailer: Apple Mail (2.1077) Cc: Rick Macklem , freebsd-stable , freebsd-current@freebsd.org Subject: Re: Kerberized NFSv3 incorrect behavior X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Feb 2010 17:02:50 -0000 On 6 Feb 2010, at 09:44, George Mamalakis wrote: > Rick Macklem wrote: >>=20 >>=20 >> On Fri, 5 Feb 2010, George Mamalakis wrote: >>=20 >>> Dear all, >>>=20 >>> I am running FBSD8-STABLE on an nfsv3 server and an nfsv3 client. My = configuration is based on = http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup. My = goal is to share filesystems securely through kerberos authentication. = Everything works fine, until I try to kdestroy my tickets or kinit to = some other user, where the system insists to think that I am the user = that initially obtained their ticket. To be more extensive, my story is = as follows: >>>=20 >> [good stuff snipped] >>>=20 >>>=20 >>> and both client and server have the correct entries about each other = (and themselves) in their /etc/hosts, so heimdal works just fine. >>>=20 >>> Both client and server have their respective keytabs stored in = /etc/krb5.keytab, and I use two users in my example (that both exist in = both systems with the same uid,gid): mamalos and testakis. >>>=20 >>=20 >> Unless you have applied the experimental patch, a keytab entry is >> meaningless in the client. Without that, it was assumed that "root" >> would never "kinit" as anyone. Basically, it was assumed that "root" >> would only do the mount and a user, like "mamalos" or "testakis" >> would be logged in and kinit'd as that user. >>=20 >> The short answer is that any principal with TGT in the credentials >> cache for uid=3D=3DN will be used to authenticate that user. Once >> authenticated, that "handle" for the user can be used until it >> expires (up to the server, but usually set to when the TGT that >> it found in the credential cache is due to expire). >>=20 >>> So, when I mount the exported filesystem on the client giving: >>>=20 >>> # mount -o nvfsv3,sec=3Dkrb5 server.example.com:/exports /mnt >>> # mount >>> /dev/da0s1a on / (ufs, local, soft-updates) >>> devfs on /dev (devfs, local, multilabel) >>> server.example.com:/exports on /mnt (nfs) >>>=20 >>> and try to access the share: >>> # ls /mnt >>> ls: mnt: Permission denied >>>=20 >>> I get the error I am expecting, since root does not have any = kerberos tickets assigned, yet. Let's see what happens when I kinit as = mamalos: >>=20 >> Yep, as expected. >>> # klist >>> Credentials cache: FILE:/tmp/krb5cc_0 >>> Principal: mamalos@EXAMPLE.COM >>>=20 >>> Issued Expires Principal >>> Feb 5 11:20:49 Feb 5 21:20:47 krbtgt/EXAPMLE.COM@EXAMPLE.COM >>> # ls -la /mnt/ >>> total 8 >>> drwxr-xr-x 4 root wheel - 512 4 Feb 19:03 ./ >>> drwxr-xr-x 21 root wheel - 512 3 Feb 11:27 ../ >>> drwx------ 2 mamalos wheel - 512 5 Feb 11:11 mamalos/ >>> drwx------ 2 testakis wheel - 512 4 Feb 19:06 testakis/ >>> # touch /mnt/mamalos/myfile >>> # ls -la /mnt/mamalos/myfile >>> rw-r--r-- 1 mamalos wheel - 0 5 Feb 11:22 /mnt/mamalos/myfile >>>=20 >>> Which is the exact behavior that is expected. Now when I kdestroy: >>> # kdestroy >>> # klist >>> klist: No ticket file: /tmp/krb5cc_0 >>> # touch /mnt/mamalos/myfilethatshouldnotbe >>> # ls -la /mnt/mamalos/myfilethatshouldnotbe >>> -rw-r--r-- 1 mamalos wheel - 0 5 Feb 11:24 = /mnt/mamalos/myfilethatshouldnotbe >>>=20 >>=20 >> Yes, this is a "bug/limitation" in the current implementation. I = believe >> that "kdestroy" should do some sort of system call to inform the NFS >> client that "credentials for uid=3D=3DN" should be invalidated. This = is not >> implemented in FreeBSD8 (or Linux for that matter, last I checked). >> I don't know if dfr@ was planning on doing this and whether or not he >> thinks it is appropriate to do so? >>=20 >> Without that implemented, the "handle" continues to work until the >> server expires it, normally when the TGT for "mamalos" would have >> expired if you hadn't kdestroy'd it. >>=20 >>> And I can do everything in that share as if I were still mamalos, = even though I kdestroyed my kerberos ticket. The same thing will happen = even if I kinit to testakis after that. klist shows testakis' ticket = this time, but I am not allowed to access (rwx) tetakis' files/folders, = and I still have full control over mamalos' files and folders. >>>=20 >>> In order to be able to do something as testakis, I have to unmount = the share and remount it while having testakis' ticket (or having no = ticket at all, and giving kinit testakis after mounting the share). >>>=20 >>=20 >> Actually, logging in as "testakis" should allow that user to access = the >> mount as "testakis" once kinit'd as "testakis". The trick is that the >> credential cache entry needs to be in /tmp/krb5cc_N (where 'N' is the >> uid assigned to "testakis"). Same would apply to "mamalos" if that >> user were logged in with a non-0 uid. >>=20 >>> I am not an NFS expert, but I suppose that this behavior is not the = one to be expected, except if I am missing some fundamental information = about kerberized NFS that explains it. Even so, it would be quite unwise = to behave so, since even if the users kdestroys their tickets, they have = still all permissions as when they obtained their ticket. >>>=20 >>=20 >> Yes, as noted above, I believe that "kdestroy" should get rid of the >> Kerberized NFS "handles" for the corresponding "uid". It's on my >> "to discuss with dfr and maybe do" list, but unfortunately not near >> the top of it. (I'd also like to come up with a good way to do >> initiator credentials from a keytab entry. The experimental patch >> is considered unacceptable for FreeBSD-current etc.) >>=20 >> Hope that clarifies things, rick >>=20 >> _______________________________________________ >> freebsd-stable@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >> To unsubscribe, send any mail to = "freebsd-stable-unsubscribe@freebsd.org" >>=20 > Rick, >=20 > thank you for all your answers. I am planning on setting up the = computer labs of my department using kerberized nfsv3 (since v4 seems to = be "more" experimental) with a FreeBSD nfs server and Linux nfs clients. = I was wondering "how stable" such an implementation would be; meaning = that I wouldn't want to end up with an unstsable setup when receiving = requests from 50-60 simultaneous clients, because that would be my = everyday scenario. >=20 > Thanks again for all your explanations (you covered me fully) and for = your understanding of my remarks. I think all that is needed is for kdestroy to make a syscall on the = client to flush cached credentials - the server clean up automatically = after the cred expires. As long as the client deletes its cached cred = (and the associated keying materials), there should be no security = issues. I believe Solaris does it this way. =20