€•º?Œsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ2/translations/zh_CN/filesystems/nfs/rpc-server-gss”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ2/translations/zh_TW/filesystems/nfs/rpc-server-gss”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ2/translations/it_IT/filesystems/nfs/rpc-server-gss”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ2/translations/ja_JP/filesystems/nfs/rpc-server-gss”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ2/translations/ko_KR/filesystems/nfs/rpc-server-gss”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ2/translations/sp_SP/filesystems/nfs/rpc-server-gss”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ)rpcsec_gss support for kernel RPC servers”h]”hŒ)rpcsec_gss support for kernel RPC servers”…””}”(hh¨hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hh£hžhhŸŒL/var/lib/git/docbuild/linux/Documentation/filesystems/nfs/rpc-server-gss.rst”h KubhŒ paragraph”“”)”}”(hX4This document gives references to the standards and protocols used to implement RPCGSS authentication in kernel RPC servers such as the NFS server and the NFS client's NFSv4.0 callback server. (But note that NFSv4.1 and higher don't require the client to act as a server for the purposes of authentication.)”h]”hX8This document gives references to the standards and protocols used to implement RPCGSS authentication in kernel RPC servers such as the NFS server and the NFS client’s NFSv4.0 callback server. (But note that NFSv4.1 and higher don’t require the client to act as a server for the purposes of authentication.)”…””}”(hh¹hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khh£hžhubh¸)”}”(hŒ,RPCGSS is specified in a few IETF documents:”h]”hŒ,RPCGSS is specified in a few IETF documents:”…””}”(hhÇhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K hh£hžhubhŒ block_quote”“”)”}”(hŒj- RFC2203 v1: https://tools.ietf.org/rfc/rfc2203.txt - RFC5403 v2: https://tools.ietf.org/rfc/rfc5403.txt ”h]”hŒ bullet_list”“”)”}”(hhh]”(hŒ list_item”“”)”}”(hŒ2RFC2203 v1: https://tools.ietf.org/rfc/rfc2203.txt”h]”h¸)”}”(hhäh]”(hŒ RFC2203 v1: ”…””}”(hhæhžhhŸNh NubhŒ reference”“”)”}”(hŒ&https://tools.ietf.org/rfc/rfc2203.txt”h]”hŒ&https://tools.ietf.org/rfc/rfc2203.txt”…””}”(hhïhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”hñuh1híhhæubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K hhâubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhhÝubhá)”}”(hŒ3RFC5403 v2: https://tools.ietf.org/rfc/rfc5403.txt ”h]”h¸)”}”(hŒ2RFC5403 v2: https://tools.ietf.org/rfc/rfc5403.txt”h]”(hŒ RFC5403 v2: ”…””}”(hjhžhhŸNh Nubhî)”}”(hŒ&https://tools.ietf.org/rfc/rfc5403.txt”h]”hŒ&https://tools.ietf.org/rfc/rfc5403.txt”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”juh1híhjubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khj ubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhhÝubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ-”uh1hÛhŸh¶h K hh×ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÕhŸh¶h K hh£hžhubh¸)”}”(hŒ;There is a third version that we don't currently implement:”h]”hŒ=There is a third version that we don’t currently implement:”…””}”(hj?hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khh£hžhubhÖ)”}”(hŒ5- RFC7861 v3: https://tools.ietf.org/rfc/rfc7861.txt ”h]”hÜ)”}”(hhh]”há)”}”(hŒ3RFC7861 v3: https://tools.ietf.org/rfc/rfc7861.txt ”h]”h¸)”}”(hŒ2RFC7861 v3: https://tools.ietf.org/rfc/rfc7861.txt”h]”(hŒ RFC7861 v3: ”…””}”(hjXhžhhŸNh Nubhî)”}”(hŒ&https://tools.ietf.org/rfc/rfc7861.txt”h]”hŒ&https://tools.ietf.org/rfc/rfc7861.txt”…””}”(hj`hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”jbuh1híhjXubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KhjTubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjQubah}”(h]”h ]”h"]”h$]”h&]”j7j8uh1hÛhŸh¶h KhjMubah}”(h]”h ]”h"]”h$]”h&]”uh1hÕhŸh¶h Khh£hžhubh¢)”}”(hhh]”(h§)”}”(hŒ Background”h]”hŒ Background”…””}”(hjŠhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hj‡hžhhŸh¶h Kubh¸)”}”(hŒßThe RPCGSS Authentication method describes a way to perform GSSAPI Authentication for NFS. Although GSSAPI is itself completely mechanism agnostic, in many cases only the KRB5 mechanism is supported by NFS implementations.”h]”hŒßThe RPCGSS Authentication method describes a way to perform GSSAPI Authentication for NFS. Although GSSAPI is itself completely mechanism agnostic, in many cases only the KRB5 mechanism is supported by NFS implementations.”…””}”(hj˜hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khj‡hžhubh¸)”}”(hŒ{The Linux kernel, at the moment, supports only the KRB5 mechanism, and depends on GSSAPI extensions that are KRB5 specific.”h]”hŒ{The Linux kernel, at the moment, supports only the KRB5 mechanism, and depends on GSSAPI extensions that are KRB5 specific.”…””}”(hj¦hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khj‡hžhubh¸)”}”(hŒ—GSSAPI is a complex library, and implementing it completely in kernel is unwarranted. However GSSAPI operations are fundamentally separable in 2 parts:”h]”hŒ—GSSAPI is a complex library, and implementing it completely in kernel is unwarranted. However GSSAPI operations are fundamentally separable in 2 parts:”…””}”(hj´hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khj‡hžhubhÜ)”}”(hhh]”(há)”}”(hŒinitial context establishment”h]”h¸)”}”(hjÇh]”hŒinitial context establishment”…””}”(hjÉhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K#hjÅubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjÂhžhhŸh¶h Nubhá)”}”(hŒLintegrity/privacy protection (signing and encrypting of individual packets) ”h]”h¸)”}”(hŒKintegrity/privacy protection (signing and encrypting of individual packets)”h]”hŒKintegrity/privacy protection (signing and encrypting of individual packets)”…””}”(hjàhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K$hjÜubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjÂhžhhŸh¶h Nubeh}”(h]”h ]”h"]”h$]”h&]”j7j8uh1hÛhŸh¶h K#hj‡hžhubh¸)”}”(hŒ„The former is more complex and policy-independent, but less performance-sensitive. The latter is simpler and needs to be very fast.”h]”hŒ„The former is more complex and policy-independent, but less performance-sensitive. The latter is simpler and needs to be very fast.”…””}”(hjúhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K'hj‡hžhubh¸)”}”(hŒÒTherefore, we perform per-packet integrity and privacy protection in the kernel, but leave the initial context establishment to userspace. We need upcalls to request userspace to perform context establishment.”h]”hŒÒTherefore, we perform per-packet integrity and privacy protection in the kernel, but leave the initial context establishment to userspace. We need upcalls to request userspace to perform context establishment.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K*hj‡hžhubeh}”(h]”Œ background”ah ]”h"]”Œ background”ah$]”h&]”uh1h¡hh£hžhhŸh¶h Kubh¢)”}”(hhh]”(h§)”}”(hŒ"NFS Server Legacy Upcall Mechanism”h]”hŒ"NFS Server Legacy Upcall Mechanism”…””}”(hj!hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hjhžhhŸh¶h K/ubh¸)”}”(hŒžThe classic upcall mechanism uses a custom text based upcall mechanism to talk to a custom daemon called rpc.svcgssd that is provide by the nfs-utils package.”h]”hŒžThe classic upcall mechanism uses a custom text based upcall mechanism to talk to a custom daemon called rpc.svcgssd that is provide by the nfs-utils package.”…””}”(hj/hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K1hjhžhubh¸)”}”(hŒ(This upcall mechanism has 2 limitations:”h]”hŒ(This upcall mechanism has 2 limitations:”…””}”(hj=hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K5hjhžhubhŒenumerated_list”“”)”}”(hhh]”há)”}”(hŒ2It can handle tokens that are no bigger than 2KiB ”h]”h¸)”}”(hŒ1It can handle tokens that are no bigger than 2KiB”h]”hŒ1It can handle tokens that are no bigger than 2KiB”…””}”(hjThžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K7hjPubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjMhžhhŸh¶h Nubah}”(h]”h ]”h"]”h$]”h&]”Œenumtype”Œ upperalpha”Œprefix”hŒsuffix”Œ)”uh1jKhjhžhhŸh¶h K7ubh¸)”}”(hŒøIn some Kerberos deployment GSSAPI tokens can be quite big, up and beyond 64KiB in size due to various authorization extensions attacked to the Kerberos tickets, that needs to be sent through the GSS layer in order to perform context establishment.”h]”hŒøIn some Kerberos deployment GSSAPI tokens can be quite big, up and beyond 64KiB in size due to various authorization extensions attacked to the Kerberos tickets, that needs to be sent through the GSS layer in order to perform context establishment.”…””}”(hjshžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K9hjhžhubh¸)”}”(hŒíB) It does not properly handle creds where the user is member of more than a few thousand groups (the current hard limit in the kernel is 65K groups) due to limitation on the size of the buffer that can be send back to the kernel (4KiB).”h]”hŒíB) It does not properly handle creds where the user is member of more than a few thousand groups (the current hard limit in the kernel is 65K groups) due to limitation on the size of the buffer that can be send back to the kernel (4KiB).”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K>hjhžhubeh}”(h]”Œ"nfs-server-legacy-upcall-mechanism”ah ]”h"]”Œ"nfs server legacy upcall mechanism”ah$]”h&]”uh1h¡hh£hžhhŸh¶h K/ubh¢)”}”(hhh]”(h§)”}”(hŒ#NFS Server New RPC Upcall Mechanism”h]”hŒ#NFS Server New RPC Upcall Mechanism”…””}”(hjšhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hj—hžhhŸh¶h KDubh¸)”}”(hŒˆThe newer upcall mechanism uses RPC over a unix socket to a daemon called gss-proxy, implemented by a userspace program called Gssproxy.”h]”hŒˆThe newer upcall mechanism uses RPC over a unix socket to a daemon called gss-proxy, implemented by a userspace program called Gssproxy.”…””}”(hj¨hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KFhj—hžhubh¸)”}”(hŒ{The gss_proxy RPC protocol is currently documented `here `_.”h]”(hŒ3The gss_proxy RPC protocol is currently documented ”…””}”(hj¶hžhhŸNh Nubhî)”}”(hŒG`here `_”h]”hŒhere”…””}”(hj¾hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œhere”Œrefuri”Œ=https://fedorahosted.org/gss-proxy/wiki/ProtocolDocumentation”uh1híhj¶ubhŒtarget”“”)”}”(hŒ@ ”h]”h}”(h]”Œhere”ah ]”h"]”Œhere”ah$]”h&]”Œrefuri”jÏuh1jÐŒ referenced”Khj¶ubhŒ.”…””}”(hj¶hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KIhj—hžhubh¸)”}”(hŒÓThis upcall mechanism uses the kernel rpc client and connects to the gssproxy userspace program over a regular unix socket. The gssproxy protocol does not suffer from the size limitations of the legacy protocol.”h]”hŒÓThis upcall mechanism uses the kernel rpc client and connects to the gssproxy userspace program over a regular unix socket. The gssproxy protocol does not suffer from the size limitations of the legacy protocol.”…””}”(hjêhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KLhj—hžhubeh}”(h]”Œ#nfs-server-new-rpc-upcall-mechanism”ah ]”h"]”Œ#nfs server new rpc upcall mechanism”ah$]”h&]”uh1h¡hh£hžhhŸh¶h KDubh¢)”}”(hhh]”(h§)”}”(hŒNegotiating Upcall Mechanisms”h]”hŒNegotiating Upcall Mechanisms”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hjhžhhŸh¶h KQubh¸)”}”(hXTo provide backward compatibility, the kernel defaults to using the legacy mechanism. To switch to the new mechanism, gss-proxy must bind to /var/run/gssproxy.sock and then write "1" to /proc/net/rpc/use-gss-proxy. If gss-proxy dies, it must repeat both steps.”h]”hX To provide backward compatibility, the kernel defaults to using the legacy mechanism. To switch to the new mechanism, gss-proxy must bind to /var/run/gssproxy.sock and then write “1†to /proc/net/rpc/use-gss-proxy. If gss-proxy dies, it must repeat both steps.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KShjhžhubh¸)”}”(hX_Once the upcall mechanism is chosen, it cannot be changed. To prevent locking into the legacy mechanisms, the above steps must be performed before starting nfsd. Whoever starts nfsd can guarantee this by reading from /proc/net/rpc/use-gss-proxy and checking that it contains a "1"--the read will block until gss-proxy has done its write to the file.”h]”hXcOnce the upcall mechanism is chosen, it cannot be changed. To prevent locking into the legacy mechanisms, the above steps must be performed before starting nfsd. Whoever starts nfsd can guarantee this by reading from /proc/net/rpc/use-gss-proxy and checking that it contains a “1â€--the read will block until gss-proxy has done its write to the file.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KYhjhžhubeh}”(h]”Œnegotiating-upcall-mechanisms”ah ]”h"]”Œnegotiating upcall mechanisms”ah$]”h&]”uh1h¡hh£hžhhŸh¶h KQubeh}”(h]”Œ)rpcsec-gss-support-for-kernel-rpc-servers”ah ]”h"]”Œ)rpcsec_gss support for kernel rpc servers”ah$]”h&]”uh1h¡hhhžhhŸh¶h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h¶uh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¦NŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”Œentry”Œfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j`Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h¶Œ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(j:j7jjj”j‘jýjújÛjØj2j/uŒ nametypes”}”(j:‰j‰j”‰jý‰jÛˆj2‰uh}”(j7h£jj‡j‘jjúj—jØjÒj/juŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nhžhub.