RPCSEC_GSS Version 3.0 Distribution - feb_2002_rel

This work was done as part of the NFS Version 4 Open Source Reference Implementation project. This release is in the form of a patch against the Linux-2.4.4 kernel, and depends upon the application of the kernel crypto patch. The intention is to be independent of a particular kernel crypto patch, so we will revisit the crpto interface. This release has been written to be able to be used with the NFSv3/v2 client and server. This release also requires changes to gssd.

This release implements Kerberos V5 mutual authentication with no data integrity nor privacy, using the default QOP.

Code Level and Management

This is new code, and we expect bugs. We will be testing this code at Connectathon 2002 and will be releasing a new version of this patch when Connectathon 2002 is over. Unlike past releases, we then intend for the general Linux community to participate in bug fixes and code development.

Download

This release requires the application of the cryptoapi-2.4.10.diff patch to the Linux-2.4.4 kernel with a single modification, cryptoapi-2.4.10.diff.modification , to enable digest lookup and repair the main linux kernel Makefile.

The rpcsec_gss_nfsv4patch3.0.patch affects only the code in net/sunrpc and include/linux/sunprc and can be used with both our NFSv4 client and server, and with the NFSv3 client (and eventually, the server).

The rpcsec_gss-3.0.nfsv3.patch enables the Linux-2.4.4 NFSv3 client to use the rpcsec_gss-3.0.patch. This code is a proof of concept in that it hard codes the use of RPCSEC_GSS. It has been tested against the Solaris 2.8 NFSv3 server exporting with sec=krb5.

The rpcsec_gss-3.0.patch requires changes to gssd. The rpcsec_gss-3.0-nfsv4_utilities.patch applied against the nfsv4_utilities updates the nfsv4_utilities/rpcsec_gss/gssd. These changes require that gssd be built against MIT's krb5.1.2.3 source with the mechglue_krb5.1.2.3.patch applied.

NFSv4 Installation

1. Apply the linux-2.4.4-nfsv4-3.0.patch to the stock Linux-2.4.4 kernel.NOTE: some versions of the patch program will generate a spurious warning about a possible reverse hunk. Just answer "no" (the default) when asked if patch should assume -R, and answer "yes" (not the default) when asked if patch should apply the patch anyway.

   # cd /usr/src/linux
   # patch -p1 < linux-2.4.4-nfsv4-3.0.patch
   

2. Apply the cryptoapi-2.4.10.diff patch.

   # cd /usr/src/linux
   # patch -p1 < cryptoapi-2.4.10.diff
   

   Note: the following message can be ignored, it will be fixed in the next step.

   1 out of 3 hunks FAILED -- saving rejects to file Makefile.rej
   

3. Apply the cryptoapi-2.4.10.diff.modification

   # cd /usr/src/linux
   # patch -p1 < cryptoapi-2.4.10.diff.modification
   

4. Apply the rpcsec_gss_nfsv4patch3.0.patch

   # cd /usr/src/linux
   # patch -p1 < rpcsec_gss_nfsv4patch3.0.patch
   

5. Run make xconfig. Set the following options in Filesystems/Network File Systems

         Set "NFS file system supporti"  to "n"
         Set "NFS server support" to "n"
         Set "NFSv4 file system support" to "m"
         Set "NFSv4 server support" to "m"
         Set "RPCSEC_GSS support" to "y". 
   

   Set the following options in Crypto options

         Set "CryptoAPI Support" to "m"
         Set "Crypto ciphers" to "m"
         Set "DES cipher (DEPRICATED)" to "m"
         Set "Digest algorithms" to "m"
         Set "MD5 digest (EXPERIMENTAL)" to "m"
   

   The resulting /usr/src/linux/.config should look like this:

         #
         # Network File Systems
         #
         # CONFIG_CODA_FS is not set
         # CONFIG_NFS_FS is not set
         # CONFIG_NFSD is not set
         CONFIG_NFS4_FS=m
         CONFIG_NFSD4=m
         # CONFIG_LOCKD is not set
         CONFIG_NFS4=m
         CONFIG_SUNRPC=m
         CONFIG_SUNRPC_GSS=y
   
         #
         # Crypto options
         #
         CONFIG_CRYPTO=m
         CONFIG_CIPHERS=m
         # CONFIG_CIPHER_AES is not set
   
         #
         # Other ciphers (64 bit blocksize)
         #
         # CONFIG_CIPHER_BLOWFISH is not set
         # CONFIG_CIPHER_IDEA is not set
         # CONFIG_CIPHER_RC5 is not set
         # CONFIG_CIPHER_DES_EDE3 is not set
         CONFIG_CIPHER_DES=m
   
         #
         # Debugging
         #
         # CONFIG_CIPHER_DUMMY is not set
         CONFIG_DIGEST=m
         CONFIG_DIGEST_MD5=m
         # CONFIG_DIGEST_SHA1 is not set
   

   NOTE: this patch has a bug! please edit the following two files as follows:

   /usr/src/linux/fs/nfsd4/export.c  
        add #include  <sunrpc/auth_gss.h> at the end of the #include's
   /usr/src/linux/fs/nfsd4/encode.c  
        add #include <sunrpc/auth_gss.h> at the end of the #include's
   

6. Build the kernel.

         # cd /usr/src/linux
         # make dep
         # make bzImage

7. Install the kernel.

         # cp /usr/src/linux/System.map /boot/System.map-nfsv4
         # cp arch/i386/boot/bzImage /boot/vmlinux-nfsv4

8. Add a stanza to /etc/lilo.conf with an image to match your kernel installation.
9. Run lilo, and reboot.
10. Build and install all kernel modules.

          # cd /usr/src/linux
          # make modules
          # make modules_install

11. Unpack the MIT kerberos 5.1.2.3 distribution, and apply the mechglue_krb5.1.2.3.patch

          # cd /usr/local/src
          # tar -zxvf krb5.1.2.3.tar.gz
          # mv mechglue_krb5.1.2.3.patch /usr/local/src/krb5.1.2.3/src
          # cd krb5.1.2.3/src
          # patch -p1 -i mechglue_krb5.1.2.3.patch
          # ./configure  --with-cc=gcc 
    

12. Link the mechglue Makefile. It does not get generated by configure. Make kerberos.

          # cd lib/gssapi/mechglue
          # ln -s Makefile.static Makefile
          # cd /usr/local/src/krb5-1.2.3/src
          # make 
          # make install (OPTIONAL)
    

    Notes: The make install is optional. If you install the krb5.1.2.3 in a location other than /usr/local/src, the lib/gssapi/mechglue/Makefile will need to be edited to set the BUILDTOP variable.
13. Unpack the nfsv4 utilities nfsv4_utilities.tar.gz.

          # cd /usr/src
          # tar -zxvf nfsv4_utilities.tar.gz
    

14. Apply rpcsec_gss-3.0-nfsv4_utilities.patch to the nfsv4_utilities

          # cd nfsv4_utilities
          # mv rpcsec_gss-3.0-nfsv4_utilities.patch .
          # patch -p1 < rpcsec_gss-3.0-nfsv4_utilities.patch
    

    Notes:

    1) This patch reports FAILURES in the rpcsec_gss/gssd/ directory. You can IGNORE them. They are due to differences in the $Id stanza. Just continue on with the instructions. My appologies.

    2) The nfsv4_utilities uses includes from the linux main patch. Depending on which Linux distribution you are using, you may need to make these includes available by ONE of the two following methods:

        % mv /usr/include/linux /usr/include/linux-
        % ln -s /usr/src/linux/include/linux /usr/include/linux
    
          ---- OR ----
    
        % cp -rp /usr/src/linux/include/linux/nfsv4 /usr/include/linux/nfsv4
        % cp -rp /usr/src/linux/include/linux/nfs4_* /usr/include/linux
    

15. Build, and install the nfsv4 utilities.

          # cd export_parser
          # make
          # make install
          # cd ../rpcsec_gss
          # ./configure --with-krb5=/usr/local/src/krb5-1.2.3/src
          # make
          # cd gssd
          # install -c -m 755 gssd /usr/sbin/gssd
          # cd ../../mount-2.11n
          # make
          # install -c -m 755 mount /usr/sbin/mount4
    

    We recommend installing the nfsv4-enabled mount under another filename such as mount4, so as not to replace the built-in mount on your system.

NFSv3 Installation

These instructions and the nfsv3 patch are coming soon!

RPCSEC_GSS Configuration and Operation

These instructions are common to NFSv3 and NFSv4.

1. Create machine credentials for both the client and the server. For this release, this means creating a Kerberos V5 principal/instance name of the form nfs/hostname@domain, and either adding a key for this pricipal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab using a random password.

   Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add ONLY this type of key.

   kadmin: addprinc -randkey nfs/hostname.domain
   kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/hostname.domain
   

2. nfsv4_utilities/rpcsec_gss/gssd/gssd needs to be started on both client and server. If you want to see gssd output, build gssd with -DDEBUG.

Server

1. Create an /etc/exports file, following the directions. and use the sec:krb5 option.
2. Edit the /etc/rc.d/init.d/nfs4 file. Remove the "-n" option from the gssd start command to enable kerberos v5 functionality in gssd.

   change this:

         #/usr/sbin/gssd -n&
   

   to this:

         #/usr/sbin/gssd &
   

   Add the command to load the cryptoapi module prior to loading the sunrpc module.

    # insmod cryptoapi

3. Start the server. This will load the modules, start gssd, and run /usr/sbin/exportfs4 to start the nfsv4 server(s). The nfs4 startup script is installed as part of the nfsv4_utilities/export_parser installation.

    # /etc/rc.d/init.d/nfs4 start

Client

1. Start the GSS daemon.

    # /usr/sbin/gssd &

2. Load the necessary modules.

   
         # insmod cryptoapi
         # insmod sunrpc
         # insmod nfs4
         # insmod nfs4fs

3. Use the NFSv4-enabled mount4 to mount a directory from the server.