From owner-freebsd-fs@FreeBSD.ORG Sun Dec 23 00:10:39 2012 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 356F16BF for ; Sun, 23 Dec 2012 00:10:39 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id E4CAD8FC0A for ; Sun, 23 Dec 2012 00:10:38 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ap8EAFhL1lCDaFvO/2dsb2JhbABDFoYkt2hzgkhWNQINGQJfiCYMoyiRdYEijmWBEwOIYo0qgRyPLIMSggQ X-IronPort-AV: E=Sophos;i="4.84,338,1355115600"; d="scan'208";a="6097253" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-jnhn.mail.uoguelph.ca with ESMTP; 22 Dec 2012 19:10:32 -0500 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 15DF1B409B; Sat, 22 Dec 2012 19:10:32 -0500 (EST) Date: Sat, 22 Dec 2012 19:10:32 -0500 (EST) From: Rick Macklem To: FreeBSD Filesystems Message-ID: <1071529580.1558626.1356221432033.JavaMail.root@erie.cs.uoguelph.ca> Subject: NFS krb5 host based initiator credential patch MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.202] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - FF3.0 (Linux)/6.0.10_GA_2692) Cc: admin@ist.tugraz.at X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Dec 2012 00:10:39 -0000 Hi, For a long time, I've had a patch that adds support for host based credentials in a keytab file to the kerberized NFS client. Unfortunately, it only worked if the kind of encryption used to create the keytab entry was explicitly set via a sysctl. Because of this dfr@ understandably didn't want it commited. Also, the patch had a bug which caused crashes when the initial use of the credential failed for any reason. I now finally have a patch that doesn't require explicit setting of the encryption type to make it work. (It does essentially a "kinit -k" to acquire a TGT and put it in a credential cache, which is then used by gss_init_sec_context().) I'd appreciate testing and review of this patch. It can be found at: http://people.freebsd.org/~rmacklem/rpcsec_gss-hostbased-initiator.patch this patch should apply to the files in -current. If the patch doesn't apply cleanly, you can find patched copies of the files here. (These should be buildable in any 9.0 or later system, I think?) http://people.freebsd.org/~rmacklem/rpcsec_gss-hostbased-initiator-patched-files The patch has worked ok for me for some testing, but I have only used a des-cbc-crc encrypted keytab entry. (I believe other encryption types should work, so long as they result in an 8 byte session key, but I haven't tested this and suggest testers start with des-cbc-crc.) rick ps: RPCSEC_GSS version 1 uses des-cbc encryption for krb5p, so stronger encryption for the keytab entry probably doesn't make any difference.