affbeedcbc
Signed-off-by: Steve Dickson <steved@redhat.com> Resolves: RHEL-31858
252 lines
8.8 KiB
Diff
252 lines
8.8 KiB
Diff
commit 9b1f860a3457328a08395651d029a454e0303454
|
|
Author: Scott Mayhew <smayhew@redhat.com>
|
|
Date: Fri Mar 15 06:34:52 2024 -0400
|
|
|
|
gssd: add support for an "allowed-enctypes" option in nfs.conf
|
|
|
|
Newer kernels have support for newer krb5 encryption types, AES with
|
|
SHA2 and Camellia. An NFS client with an "old" kernel can talk to
|
|
and NFS server with a "new" kernel and it just works. An NFS client
|
|
with a "new" kernel can talk to an NFS server with an "old" kernel, but
|
|
that requires some additional configuration (particularly if the NFS
|
|
server does have support for the newer encryption types in its userspace
|
|
krb5 libraries) that may be unclear and/or burdensome to the admin.
|
|
|
|
1) If the NFS server has support for the newer encryption types in the
|
|
userspace krb5 libraries, but not in the kernel's RPCSEC_GSS code,
|
|
then its possible that it also already has "nfs" keys using those
|
|
newer encryption types in its keytab. In that case, it's necessary
|
|
to regenerate the "nfs" keys without the newer encryption types.
|
|
The reason this is necessary is because if the NFS client requests
|
|
an "nfs" service ticket from the KDC, and the list of enctypes in
|
|
in that TGS-REQ contains a newer encryption type, and the KDC had
|
|
previously generated a key for the NFS server using the newer
|
|
encryption type, then the resulting service ticket in the TGS-REP
|
|
will be using the newer encryption type and the NFS server will not
|
|
be able to decrypt it.
|
|
|
|
2) It is necessary to either modify the permitted_enctypes field of the
|
|
krb5.conf or create a custom crypto-policy module (if the
|
|
crypto-policies package is being used) on the NFS *client* so that it
|
|
does not include the newer encryption types. The reason this is
|
|
necessary is because it affects the list of encryption types that
|
|
will be present in the RPCSEC_GSS_INIT request that the NFS client
|
|
sends to the NFS server. The kernel on the NFS server cannot not
|
|
process the request on its own; it has to upcall to gssproxy to do
|
|
that... and again if the userspace krb5 libraries on the NFS server
|
|
have support for the newer encryption types, then it will select one
|
|
of those and the kernel will not be able to import the context when
|
|
it gets the downcall. Also note that modifying the permitted_enctypes
|
|
field and/or crypto policy has the side effect of impacting everything
|
|
krb5 related, not just just NFS.
|
|
|
|
So add support for an "allowed-enctypes" field in nfs.conf. This allows
|
|
the admin to restrict gssd to using a subset of the encryption types
|
|
that are supported by the kernel and krb5 libraries. This will remove
|
|
the need for steps 1 & 2 above, and will only affect NFS rather than
|
|
krb5 as a whole.
|
|
|
|
For example, for a "new" NFS client talking to an "old" NFS server, the
|
|
admin will probably want this in the client's nfs.conf:
|
|
|
|
allowed-enctypes=aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
|
|
|
|
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
|
|
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
diff --git a/nfs.conf b/nfs.conf
|
|
index 323f072..23b5f7d 100644
|
|
--- a/nfs.conf
|
|
+++ b/nfs.conf
|
|
@@ -23,6 +23,7 @@
|
|
# use-gss-proxy=0
|
|
# avoid-dns=1
|
|
# limit-to-legacy-enctypes=0
|
|
+# allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128,camellia256-cts-cmac,camellia128-cts-cmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
|
|
# context-timeout=0
|
|
# rpc-timeout=5
|
|
# keytab-file=/etc/krb5.keytab
|
|
diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c
|
|
index ca9b326..10c731a 100644
|
|
--- a/utils/gssd/gssd.c
|
|
+++ b/utils/gssd/gssd.c
|
|
@@ -1232,6 +1232,12 @@ main(int argc, char *argv[])
|
|
|
|
daemon_init(fg);
|
|
|
|
+#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
|
|
+ rc = get_allowed_enctypes();
|
|
+ if (rc)
|
|
+ exit(EXIT_FAILURE);
|
|
+#endif
|
|
+
|
|
if (gssd_check_mechs() != 0)
|
|
errx(1, "Problem with gssapi library");
|
|
|
|
diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man
|
|
index 2a5384d..c735eff 100644
|
|
--- a/utils/gssd/gssd.man
|
|
+++ b/utils/gssd/gssd.man
|
|
@@ -346,6 +346,15 @@ flag.
|
|
Equivalent to
|
|
.BR -l .
|
|
.TP
|
|
+.B allowed-enctypes
|
|
+Allows you to restrict
|
|
+.B rpc.gssd
|
|
+to using a subset of the encryption types permitted by the kernel and the krb5
|
|
+libraries. This is useful if you need to interoperate with an NFS server that
|
|
+does not have support for the newer SHA2 and Camellia encryption types, for
|
|
+example. This configuration file option does not have an equivalent
|
|
+command-line option.
|
|
+.TP
|
|
.B context-timeout
|
|
Equivalent to
|
|
.BR -t .
|
|
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
|
|
index 6f66ef4..57b3cf8 100644
|
|
--- a/utils/gssd/krb5_util.c
|
|
+++ b/utils/gssd/krb5_util.c
|
|
@@ -129,6 +129,7 @@
|
|
#include "err_util.h"
|
|
#include "gss_util.h"
|
|
#include "krb5_util.h"
|
|
+#include "conffile.h"
|
|
|
|
/*
|
|
* List of principals from our keytab that we
|
|
@@ -155,6 +156,8 @@ static pthread_mutex_t ple_lock = PTHREAD_MUTEX_INITIALIZER;
|
|
|
|
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
|
|
int limit_to_legacy_enctypes = 0;
|
|
+krb5_enctype *allowed_enctypes = NULL;
|
|
+int num_allowed_enctypes = 0;
|
|
#endif
|
|
|
|
/*==========================*/
|
|
@@ -1596,6 +1599,68 @@ out_cred:
|
|
}
|
|
|
|
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
|
|
+int
|
|
+get_allowed_enctypes(void)
|
|
+{
|
|
+ struct conf_list *allowed_etypes = NULL;
|
|
+ struct conf_list_node *node;
|
|
+ char *buf = NULL, *old = NULL;
|
|
+ int len, ret = 0;
|
|
+
|
|
+ allowed_etypes = conf_get_list("gssd", "allowed-enctypes");
|
|
+ if (allowed_etypes) {
|
|
+ TAILQ_FOREACH(node, &(allowed_etypes->fields), link) {
|
|
+ allowed_enctypes = realloc(allowed_enctypes,
|
|
+ (num_allowed_enctypes + 1) *
|
|
+ sizeof(*allowed_enctypes));
|
|
+ if (allowed_enctypes == NULL) {
|
|
+ ret = ENOMEM;
|
|
+ goto out_err;
|
|
+ }
|
|
+ ret = krb5_string_to_enctype(node->field,
|
|
+ &allowed_enctypes[num_allowed_enctypes]);
|
|
+ if (ret) {
|
|
+ printerr(0, "%s: invalid enctype %s",
|
|
+ __func__, node->field);
|
|
+ goto out_err;
|
|
+ }
|
|
+ if (get_verbosity() > 1) {
|
|
+ if (buf == NULL) {
|
|
+ len = asprintf(&buf, "%s(%d)", node->field,
|
|
+ allowed_enctypes[num_allowed_enctypes]);
|
|
+ if (len < 0) {
|
|
+ ret = ENOMEM;
|
|
+ goto out_err;
|
|
+ }
|
|
+ } else {
|
|
+ old = buf;
|
|
+ len = asprintf(&buf, "%s,%s(%d)", old, node->field,
|
|
+ allowed_enctypes[num_allowed_enctypes]);
|
|
+ if (len < 0) {
|
|
+ ret = ENOMEM;
|
|
+ goto out_err;
|
|
+ }
|
|
+ free(old);
|
|
+ old = NULL;
|
|
+ }
|
|
+ }
|
|
+ num_allowed_enctypes++;
|
|
+ }
|
|
+ printerr(2, "%s: allowed_enctypes = %s", __func__, buf);
|
|
+ }
|
|
+ goto out;
|
|
+out_err:
|
|
+ num_allowed_enctypes = 0;
|
|
+ free(allowed_enctypes);
|
|
+out:
|
|
+ free(buf);
|
|
+ if (old != buf)
|
|
+ free(old);
|
|
+ if (allowed_etypes)
|
|
+ conf_free_list(allowed_etypes);
|
|
+ return ret;
|
|
+}
|
|
+
|
|
/*
|
|
* this routine obtains a credentials handle via gss_acquire_cred()
|
|
* then calls gss_krb5_set_allowable_enctypes() to limit the encryption
|
|
@@ -1619,6 +1684,10 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec)
|
|
int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
|
|
extern int num_krb5_enctypes;
|
|
extern krb5_enctype *krb5_enctypes;
|
|
+ extern int num_allowed_enctypes;
|
|
+ extern krb5_enctype *allowed_enctypes;
|
|
+ int num_set_enctypes;
|
|
+ krb5_enctype *set_enctypes;
|
|
int err = -1;
|
|
|
|
if (sec->cred == GSS_C_NO_CREDENTIAL) {
|
|
@@ -1631,12 +1700,26 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec)
|
|
* If we failed for any reason to produce global
|
|
* list of supported enctypes, use local default here.
|
|
*/
|
|
- if (krb5_enctypes == NULL || limit_to_legacy_enctypes)
|
|
- maj_stat = gss_set_allowable_enctypes(&min_stat, sec->cred,
|
|
- &krb5oid, num_enctypes, enctypes);
|
|
- else
|
|
- maj_stat = gss_set_allowable_enctypes(&min_stat, sec->cred,
|
|
- &krb5oid, num_krb5_enctypes, krb5_enctypes);
|
|
+ if (krb5_enctypes == NULL || limit_to_legacy_enctypes ||
|
|
+ allowed_enctypes) {
|
|
+ if (allowed_enctypes) {
|
|
+ printerr(2, "%s: using allowed enctypes from config\n",
|
|
+ __func__);
|
|
+ num_set_enctypes = num_allowed_enctypes;
|
|
+ set_enctypes = allowed_enctypes;
|
|
+ } else {
|
|
+ printerr(2, "%s: using legacy enctypes\n", __func__);
|
|
+ num_set_enctypes = num_enctypes;
|
|
+ set_enctypes = enctypes;
|
|
+ }
|
|
+ } else {
|
|
+ printerr(2, "%s: using enctypes from the kernel\n", __func__);
|
|
+ num_set_enctypes = num_krb5_enctypes;
|
|
+ set_enctypes = krb5_enctypes;
|
|
+ }
|
|
+
|
|
+ maj_stat = gss_set_allowable_enctypes(&min_stat, sec->cred,
|
|
+ &krb5oid, num_set_enctypes, set_enctypes);
|
|
|
|
if (maj_stat != GSS_S_COMPLETE) {
|
|
pgsserr("gss_set_allowable_enctypes",
|
|
diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h
|
|
index 7ef8701..40ad323 100644
|
|
--- a/utils/gssd/krb5_util.h
|
|
+++ b/utils/gssd/krb5_util.h
|
|
@@ -27,6 +27,7 @@ int gssd_k5_remove_bad_service_cred(char *srvname);
|
|
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
|
|
extern int limit_to_legacy_enctypes;
|
|
int limit_krb5_enctypes(struct rpc_gss_sec *sec);
|
|
+int get_allowed_enctypes(void);
|
|
#endif
|
|
|
|
/*
|