Projects: NFS Version 4 Open Source Reference Implementation projects techreports press lab location staff
citi top.2 top.3
citi mid.3
bot.1 bot.2 bot.3
star

Projects: NFS Version 4 Open Source Reference Implementation

GSSD flow description

The picture below shows the major flow of messages in the rpc.gssd/rpc.svcgssd context negotiation process.

  1. User process does initial operation requiring an NFS object which requires rpcsec_gss authentication. (This can be any version of NFS -- 2, 3, or 4.)
  2. Kernel code discovers it has no cached context for this user/server combination and does an upcall to obtain a security context. The upcall is handled by rpc.gssd.

    The conduit between kernel and userspace is via a pipefs filesystem. The default mount location for this pipefs is /var/lib/nfs/rpc_pipefs. (This is referenced as {pipefsdir} below.) The kernel writes to: 

    
	{pipefsdir}/clntXX/info
	{pipefsdir}/clntXX/krb5
	{pipefsdir}/clntXX/spkm3
    rpc.gssd monitors for changes (new files) in the {pipefsdir}.

    rpc.gssd assumes that the user has already authenticated and has credentials available. It attempts to find credentials for the user (using only the UID) and calls rpcsec_gss routine authgss_create() to create an rpc context. authgss_create() calls gss_init_sec_context() to obtain a gss token.

  3. rpc.gssd sends the gss token via a NULL rpc call. (Note that this null call currently uses portmap on the server to locate the service.)
  4. The server receives the NULL rpc call and does an upcall to rpc.svcgssd to handle it.

    The server side uses procfs as a conduit between kernel and userspace 

    
	/proc/net/rpc/auth.rpcsec.context/channel
	/proc/net/rpc/auth.rpcsec.init/channel

    rpc.svcgssd calls gss_accept_sec_context() to obtain a gss token and complete the gss context negotiation. The server now has a completed context which is ...

  5. returned to the kernel (via the auth.rpcsec.context channel) as well as the response to the NULL rpc (via the auth.rpcsec_init channel).
  6. The NULL rpc response (containing the gss token) is returned to the client which completes the context negotiation.
  7. The gss context information is written to the kernel.
  8. The original operation can now be performed using the security context cached by the kernel.
  9. The response to the original operation.
  10. Results of the original operation are returned to the user process.
blank.space
b.star projects | techreports | press | lab | location | staff Email address
or call +1 734 763 2929
Copyright © 1996-2013
The Regents of the University of Michigan
bottom.line
 citi