Switching identity using kinit/kdestroy for NFSv4 mounts doesn't work

Simo Sorce simo at redhat.com
Mon Mar 16 10:12:02 EDT 2015 

On Mon, 2015-03-16 at 10:33 +0100, Robert Wehn wrote:
> Hello *
> 
> @Brandon, Ben:
> On 13.03.2015, 15:05 Brandon Allbery wrote:
> > ... the whole business about snooping ticket caches and caching its
> > own private copy is concerning security-wise and seems like it
> > would easily become confused.
> 
> On 13.03.2015, 16:53 Benjamin Kaduk wrote:
> > See Brandon's response as well, but from a security perspective,
> > the kernel NFS implementation is wrong to cache things for so
> > long, especially without providing a way to invalidate a cached
> > entry.
> 
> It's nice to hear that we're not the only ones thinking this is not
> such a good idea.
> 
> 
> @Simo
> On 13.03.2015 at 17:24 Simo Sorce wrote:
> > Note that NFS does not cache a ticket, it simply does not destroy
> > the GSS Session after it has been created.
> didn't get this detail from our test
> > An interface to allow to destroy the NFS's user session on kdestroy
> > has been discussed with NFS upstream before but it hasn't gone
> > anywhere yet.
> Do you refer to these discussions or is there something else we missed?
> http://thread.gmane.org/gmane.linux.nfs/46234
> https://fedorahosted.org/gss-proxy/ticket/1

May have been this one, it was a while ago an my memory is not firm.

> It looks like the Problem is well known and there have been ideas to
> solve that which never got into the Kernel:
> http://www.spinics.net/lists/linux-nfs/msg34236.html
> http://www.citi.umich.edu/projects/asci/icsi-alpha/nfs-utils-patches/1.0.10-asci-2/nfs-utils-1.0.10-asci-017-add_nfslogin.dif
> 
> Has one of you an idea how the situation can be pushed to the right
> direction?

The main issue that derailed any previous attempts (afaik) was that
there was no consensus on how to signal the kernel that it was time to
destroy the gss context. And in secondary order how to convey this
information to the kernel itself. One idea could be to stick a reference
in a keyring key and then allow the user owner to delete it.
But not sure people want the dependency in the kernel side.

> Our Canonical Support Contact created a bug here
> https://bugzilla.kernel.org/show_bug.cgi?id=93891
> and maybe commenting that from the Kerberos community may help ...

I guess what's needed is someone to drive the communication process
between the various stakeholders so that we can come to an agreement on
what interfaces are best to use, and then follow up prodding people to
provide the actual code.

HTH,
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Kerberos mailing list