RPCSEC_GSS for linux 2.5 kernels
As of version 2.5.58, Linus's kernel includes support for basic client-side rpcsec_gss authentication (without data integrity or privacy). The kernel patches below add server-side support and add support for data integrity on the client. Features we are actively working on include full integrity and privacy support on client and server and support for the other two rpcsec_gss mechanisms (spkm3 and lipkey) required by the nfsv4 spec.
This is work in progress, and may be only very lightly tested before release; the intended audience is developers and users interested in testing rpcsec_gss.
The rpcsec_gss support should work with any version of NFS, though it doesn't protect the auxiliary protocols used with NFSv3. Also, see our NFSv4/Linux download page for NFSv4 information.
You need a set of the latest kernel patches from this directory, a matching kernel tree, a mount patch (against the util-linux sources), the latest gssd sources, and the latest nfs-utils patch against the corresponding version of nfs-utils.
Apply the appropriate patches and configure and build the kernel, making sure to select, at a minimum:
# cd /usr/local/src # tar -xzvf krb5-1.2.7.tar.gz # cd krb5-1.2.7 # patch -p1 <mechglue_krb184.108.40.206-mechglue-1.diff # cd src # ./configure && make
Then build the user-space daemons (rpc.gssd and rpc.svcgssd):
# tar -xzvf gssd.tar.gz # cd gssd # ./configure --with-krb5=/usr/local/src/krb5-1.2.7/src && make
Install them somewhere (e.g., /usr/local/sbin/).
Create machine credentials for both the client and the server. For this release, this means creating a Kerberos V5 principal/instance name of the form nfs/hostname@domain, and either adding a key for this pricipal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab using a random password.
Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add ONLY this type of key.
kadmin: addprinc -randkey nfs/hostname.domain kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/hostname.domain
Build the patched mount program and nfs-utils.
Boot to the new kernel, and then you should be able to do something like this on the client:
# mkdir /var/lib/rpc_pipes # mount -trpc_pipefs none /var/lib/rpc_pipes # rpc.gssd -m & # mount -osec=krb5 myserver.somewhere.net:/ /mnt
and on the server, export as usual, except that any exports which you wish to be accesible to clients using krb5 should be exported to a special client named "gss/krb5". For example, a line in your export file reading:
/exports gss/krb5(rw,sync)will make /exports available to those clients (and only those clients) which use krb5.
In addition, you need to mount the rpc_pipefs filesystem (as for the client) and run rpc.svcgssd:
# mkdir /var/lib/rpc_pipes # mount -trpc_pipefs none /var/lib/rpc_pipes # rpc.svcgssd &
Known issues, being worked on: