From nobody Mon Apr 15 19:53:13 2024
X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VJHsS1SLFz5HD4C
	for <freebsd-fs@mlmmj.nyi.freebsd.org>; Mon, 15 Apr 2024 19:53:16 +0000 (UTC)
	(envelope-from kempe@lysator.liu.se)
Received: from mail.lysator.liu.se (mail.lysator.liu.se [130.236.254.3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4VJHsR50YJz4RhX
	for <freebsd-fs@freebsd.org>; Mon, 15 Apr 2024 19:53:15 +0000 (UTC)
	(envelope-from kempe@lysator.liu.se)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=pass (policy=none) header.from=lysator.liu.se;
	spf=pass (mx1.freebsd.org: domain of kempe@lysator.liu.se designates 130.236.254.3 as permitted sender) smtp.mailfrom=kempe@lysator.liu.se
Received: from mail.lysator.liu.se (localhost [127.0.0.1])
	by mail.lysator.liu.se (Postfix) with ESMTP id 298352D6F;
	Mon, 15 Apr 2024 21:53:14 +0200 (CEST)
Received: from shipon.lysator.liu.se (shipon.lysator.liu.se [IPv6:2001:6b0:17:f0a0::83])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.lysator.liu.se (Postfix) with ESMTPSA id 13A222DA3;
	Mon, 15 Apr 2024 21:53:14 +0200 (CEST)
Date: Mon, 15 Apr 2024 21:53:13 +0200
From: Andreas Kempe <kempe@lysator.liu.se>
To: Rick Macklem <rick.macklem@gmail.com>
Cc: freebsd-fs@freebsd.org
Subject: Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access
Message-ID: <Zh2FqXMQgq9rcc-A@shipon.lysator.liu.se>
References: <CAM5tNy7YM6bRKTX3pLR8hC-a-cmxXA=wv4j0E8cBWGthbxzLdQ@mail.gmail.com>
 <ZgRUqkl1zVxMPt6K@shipon.lysator.liu.se>
 <CAM5tNy68W16ut4vR1Y9xxPwaU+T+t8fU8dwg3DbfhMT5h5iEDQ@mail.gmail.com>
 <ZgVKehV_9ePUBdwd@shipon.lysator.liu.se>
 <CAM5tNy4ye6BwYAZ+VYQOgDnSjAmyg+CCu=XCm-+DZucfrfwgKw@mail.gmail.com>
 <CAM5tNy4+bUc0VMY8i_E9P-pT0CEOXHpKzitMuKYzydH465OBGg@mail.gmail.com>
 <ZgiIAyDKPlCr1c9C@shipon.lysator.liu.se>
 <CAM5tNy5GbbZSJ3sOALx6zUkZz_7BJGzQ_63srVK88RFecb_eCQ@mail.gmail.com>
 <Zhv1jtKU8lRdKOul@shipon.lysator.liu.se>
 <CAM5tNy5a-CALZdrHhCQ1akmR3=BqeEK8EFb6UxZ+COp38u3bTg@mail.gmail.com>
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-fs
List-Help: <mailto:freebsd-fs+help@freebsd.org>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Subscribe: <mailto:freebsd-fs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-fs+unsubscribe@freebsd.org>
Sender: owner-freebsd-fs@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAM5tNy5a-CALZdrHhCQ1akmR3=BqeEK8EFb6UxZ+COp38u3bTg@mail.gmail.com>
X-Virus-Scanned: ClamAV using ClamSMTP
X-Spamd-Bar: ---
X-Spamd-Result: default: False [-3.04 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-0.99)[-0.993];
	DMARC_POLICY_ALLOW(-0.50)[lysator.liu.se,none];
	R_SPF_ALLOW(-0.20)[+a:mail.lysator.liu.se:c];
	RCVD_IN_DNSWL_MED(-0.20)[130.236.254.3:from];
	MIME_GOOD(-0.10)[text/plain];
	NEURAL_HAM_SHORT(-0.04)[-0.043];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	ASN(0.00)[asn:2843, ipnet:130.236.0.0/16, country:SE];
	ARC_NA(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	MISSING_XM_UA(0.00)[];
	TO_DN_SOME(0.00)[];
	MIME_TRACE(0.00)[0:+];
	RCVD_TLS_LAST(0.00)[];
	FROM_HAS_DN(0.00)[];
	TAGGED_RCPT(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-fs@freebsd.org];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	R_DKIM_NA(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_COUNT_TWO(0.00)[2];
	FREEMAIL_TO(0.00)[gmail.com]
X-Rspamd-Queue-Id: 4VJHsR50YJz4RhX

On Sun, Apr 14, 2024 at 12:30:22PM -0700, Rick Macklem wrote:
> On Sun, Apr 14, 2024 at 8:26 AM Andreas Kempe <kempe@lysator.liu.se> wrote:
> > Am I correct in thinking that Kerberos isn't really designed to be
> > used for only authenticating the machine? Users having to always have
> > their own valid Kerberos ticket doesn't really work for us.
> Yes. The "host" keytab credential is a "hack". Kerberos calls them
> service principals and they were not intended to authenticate a machine
> when Kerberos was designed.
> 
> If users are running cron jobs, then one way around the problem
> is to have the KDC issue renewable tickets and then run a daemon
> (can't remember the name, but it is easy to find and opensourced)
> that renews TGTs. (This only works up to the renew limit of the KDC
> config.)
> 

I have seen that this should be possible, the Linux SSSD daemon can do
that. We do still have the issue of users having to log on to every
system after a reboot to init a ticket so I still don't think it would
be ideal for us.

> NFS-over-TLS (called RPC-over-TLS by the Linux folk) does allow
> a client to provide a X.509 certificate during TLS handshake to
> identify the client machine and the TLS encrypts everything on
> the wire to avoid middleman attacks or snoopers.
> It does not identify users on the server, unless TLS identity
> squashing is used via the X.509 certificate to make all RPCs
> done by a user. (This has the advantage that it is not "nobody",
> but is only useful for things like laptops, that are only used by
> one user. It does have the advantage that there are no tickets
> to expire, although there is a, usually long, expiration on the X.509
> certificate.)
> 

If I'm running NFS with TLS without TLS identity squashing, does this
mean that users are resolved the same way they are with sec=sys? If
so, this could be the solution we are looking for if I can make sure
that all our Linux systems that need to mount have a new enough Linux
kernel to support it.

// Andreas Kempe