1 - 3 - 6 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - X
security
Click on the red underlined text to get to the source
... version
4 protocol provides a mechanism to allow clients and servers the
ability to negotiate security and require clients and servers to
support a minimal set of security ...
... security and require clients and servers to
support a minimal set of security schemes.
o Good cross-platform interoperability ...
... [RFC2203] will be used to extend the basic RPC security. With the
use of RPCSEC_GSS, various mechanisms can be provided to offer
...
... Kerberos V5 will be used as described in [RFC1964] to provide one
security framework. The LIPKEY GSS-API mechanism described in
...
... client a method of
querying the server about its policies regarding which security
mechanisms must be used for access to the server's filesystem
resources. With this, the client can securely match the security
mechanism ...
... security
mechanisms must be used for access to the server's filesystem
resources. With this, the client can securely match the security
mechanism that meets the policies specified at both the client and
server.
...
... RFC1832]. The
RPCSEC_GSS security flavor as defined in [RFC2203] MUST be used as
the mechanism to deliver stronger security ...
... security flavor as defined in [RFC2203] MUST be used as
the mechanism to deliver stronger security for the NFS version 4
...
... handshakes.
As noted in the Security Considerations section, the authentication
model for NFS ...
... Security Flavors ...
... security flavors. With [RFC2203] an
additional security flavor of RPCSEC_GSS has been introduced which
uses the functionality of GSS-API ...
... GSS-API [RFC2743]. This allows for the use
of various security mechanisms by the RPC layer without the
...
... NFS version 4, the RPCSEC_GSS security flavor MUST be used to
enable the mandatory security mechanism. Other flavors, such as,
...
... GSS security flavor MUST be used to
enable the mandatory security mechanism. Other flavors, such as,
AUTH_NONE, AUTH ...
... remainder of this document will refer to these three parameters of
the RPCSEC_GSS security as the security triple.
...
... GSS-API mechanism as described in [RFC1964] MUST be
implemented and provide the following security triples.
column descriptions:
...
... NFS protocol includes a method to
negotiate security and it understands the GSS-API mechanism, the
...
... GSS-API mechanism as described in [RFC2847] MUST be
implemented and provide the following security triples. The
definition of the columns matches the previous subsection "Kerberos
...
... definition of the columns matches the previous subsection "Kerberos
V5 as security triple"
1 2 3 4 5
...
... GSS-API mechanism as described in [RFC2847] MUST be
implemented and provide the following security triples. The
definition of the columns matches the previous subsection "Kerberos
...
... definition of the columns matches the previous subsection "Kerberos
V5 as security triple".
1 2 3 4 5
...
... algorithm is listed as
"negotiated", see the previous section "LIPKEY as a security triple."
Because SPKM ...
... Security Negotiation ...
... With the NFS version 4 server potentially offering multiple security
mechanisms, the client needs a method to determine or negotiate which
...
... NFS server
may be configured such that each of these entry points may have
different or multiple security mechanisms in use.
The security negotiation ...
... security mechanisms in use.
The security negotiation between client and server must be done with
a secure channel ...
... intercepting the negotiation sequence and forcing the client and
server to choose a lower level of security than required or desired.
See the section "Security Considerations" for further discussion ...
... client and
server to choose a lower level of security than required or desired.
See the section "Security Considerations" for further discussion.
...
... The new SECINFO operation will allow the client to determine, on a
per filehandle basis, what security triple is to be used for server
access. In general, the client will not have to use the SECINFO
...
... Security Error ...
... version 4 client and server
must support a minimum set of security (i.e., LIPKEY, SPKM-3, and
...
... client will start its
communication with the server with one of the minimal security
triples. During communication with the server, the client may
...
... NFS error of NFS4ERR_WRONGSEC. This error allows the
server to notify the client that the security triple currently being
used is not appropriate for access to the server's filesystem
resources. The client ...
... resources. The client is then responsible for determining what
security triples are available at the server and choose one which is
appropriate for the client. See the section for the "SECINFO"
...
... principal that acquired the clientid (also described later), using
the security flavor the original SETCLIENTID operation used.
For AUTH ...
... LIPKEY for SETCLIENTID.
Regardless of what security mechanism under RPCSEC_GSS is being used,
the NFS ...
... nfs
Implementations of security mechanisms will convert nfs@hostname to
various different forms. For Kerberos V5 and LIPKEY ...
... NFS protocols.
The MOUNT protocol has deficiencies in the area of security and use
via firewalls. This is one reason that the use of the public
...
... common syntax that can be interpreted by both.
Similarly, security principals may be represented in different ways
by different security mechanisms ...
... security principals may be represented in different ways
by different security mechanisms. Servers normally translate these
representations into a common format, generally that used by local
storage, to serve as a means of identifying the users corresponding
...
... representations into a common format, generally that used by local
storage, to serve as a means of identifying the users corresponding
to these security principals. When these local identifiers are
...
... created by such principals they identify, in a common format, the
users associated with each corresponding set of security principals.
...
... anonymous user,
which will be associated with a file created by a security principal
that cannot be mapped through normal means to the owner attribute.
...
... new server.
See the section "Security Considerations" for a discussion on the
recommendations for the security ...
... Security Considerations" for a discussion on the
recommendations for the security flavor to be used by any GETATTR
operation that requests the "fs_locations" attribute.
...
... Security Policy and Name Space Presentation ...
...
The application of the server's security policy needs to be carefully
considered by the implementor. One may choose to limit the
...
... client's ability to authenticate itself
properly. However, with the support of multiple security mechanisms
and the ability to negotiate the appropriate use of these mechanisms,
the server is unable to properly determine if a client ...
... have legitimate access.
As suggested practice, the server should apply the security policy of
a shared resource in the server's namespace to the components of the
...
...
The /a/b/c directory is a real filesystem and is the shared resource.
The security policy for /a/b/c is Kerberos with integrity. The
...
... Kerberos with integrity. The
server should apply the same security policy to /, /a, and /a/b.
This allows for the extension of the protection of the server's
namespace ...
... namespace to the ancestors of the real shared resource.
For the case of the use of multiple, disjoint security mechanisms in
the server's resources, the security for a particular object in the
...
... For the case of the use of multiple, disjoint security mechanisms in
the server's resources, the security for a particular object in the
server's namespace should be the union of all security mechanisms ...
... security for a particular object in the
server's namespace should be the union of all security mechanisms of
all direct descendants.
...
... software
installation.
As a security measure, the server MUST NOT cancel a client's leased
state ...
... principal owner of the id string (such as the case of a client
that changes security flavors, and under the new flavor, there is no
mapping to the previous owner) will in rare cases result in
NFS4ERR_CLID_INUSE.
...
... request.
NFS4ERR_WRONGSEC The security mechanism being used by the client
for the operation does not match the server's
...
... by the client
for the operation does not match the server's
security policy. The client should change the
security mechanism ...
... security policy. The client should change the
security mechanism being used and retry the
operation.
...
... client, it is mitigated if the client and server require the use of a
security flavor based on Kerberos V5, LIPKEY, or some other flavor
...
... argument.
If the security mechanism used by the requester does not meet the
requirements of the filehandle provided to this operation, the server
...
... version 4 absolute resolution.
There is a form of security negotiation as described in [RFC2755]
that uses the public filehandle a method ...
... versions 2 and 3. Clients should therefore use the
security negotiation mechanisms described in this RFC.
ERRORS
...
... client that issues RENEW MUST choose the principal, RPC security
flavor, and if applicable, GSS-API mechanism and service ...
... client uses the same principal, RPC security flavor -- and if
the flavor was RPCSEC_GSS -- the same mechanism and service ...
... client uses any principal, RPC security flavor mechanism and
service combination that currently has an OPEN file on the server.
...
... Operation 33: SECINFO - Obtain Available Security ...
... behave the same way and return NFS4ERR_ACCESS.
The result will contain an array which represents the security
mechanisms available, with an order corresponding to server's
preferences, the most preferred being first in the array. The client
...
... preferences, the most preferred being first in the array. The client
is free to pick whatever security mechanism it both desires and
supports, or to pick in the server's preference order the first one
it supports. The array entries are represented by the secinfo4
...
... For the flavors AUTH_NONE and AUTH_SYS, no additional security
information is returned. For a return value of RPCSEC_GSS, a
...
... information is returned. For a return value of RPCSEC_GSS, a
security triple is returned that contains the mechanism object id (as
defined in [RFC2743]), the quality of protection ...
... possible for SECINFO to return multiple entries with flavor equal to
RPCSEC_GSS with different security triple values.
On success, the current filehandle retains its value.
...
... NFS
operation. This signifies to the client that the server's security
policy is different from what the client is currently using. At this
point, the client ...
... client is currently using. At this
point, the client is expected to obtain a list of possible security
flavors and choose what best suits its policies.
...
... flavors and choose what best suits its policies.
As mentioned, the server's security policies will determine when a
client request receives NFS4ERR_WRONGSEC. The operations which may
...
... PUTROOTFH, RESTOREFH, RENAME, and indirectly READDIR. LINK and
RENAME will only receive this error if the security used for the
operation is inappropriate for saved filehandle. With the exception
of READDIR, these operations represent the point at which the client ...
... filehandle is a result of a previous SAVEFH. Even though the
filehandle, for RESTOREFH, might have previously passed the server's
inspection for a security match, the server will check it again on
RESTOREFH to ensure that the security policy has not changed.
...
... inspection for a security match, the server will check it again on
RESTOREFH to ensure that the security policy has not changed.
If the client wants ...
... current filehandle and name as provided in the original LOOKUP or
OPEN to enumerate the available security triples.
o For LINK ...
... none exist for these two operations. Therefore, the client must
iterate through the security triples available at the client and
reattempt the PUTROOTFH or PUTPUBFH operation. In the unfortunate
...
... client and
reattempt the PUTROOTFH or PUTPUBFH operation. In the unfortunate
event none of the MANDATORY security triples are supported by the
client and server, the client SHOULD try using others that support
...
... risk. Nonetheless, the server SHOULD allow the client to use
whatever security form the client requests and the server
supports, since the risks of doing so are on the client ...
... The READDIR operation will not directly return the NFS4ERR_WRONGSEC
error. However, if the READDIR request included a request for
attributes, it is possible that the READDIR request's security triple
does not match that of a directory entry. If this is the case and
the client ...
... return the NFS4ERR_WRONGSEC error in rdattr_error for the entry.
See the section "Security Considerations" for a discussion on the
recommendations for security ...
... Security Considerations" for a discussion on the
recommendations for security flavor used by SECINFO.
ERRORS
...
... Security Considerations ...
... port
number that the request was sent to. While such a model is easy to
implement and simple to deploy and use, it is certainly not a safe
model. Thus, NFSv4 mandates that implementations support a security
model that uses end to end authentication, where an end-user on a
...
... privacy are
discussed as part of the section on "RPC and Security Flavor".
Note that while NFSv4 mandates an end to end mutual authentication ...
... NFS version 4
implementations may choose to not use security mechanisms that enable
integrity protection on each remote procedure call ...
... RPC request and/or the response. While implementations are free to
provide the option to use weaker security mechanisms, there are two
operations in particular that warrant the implementation overriding
user choices.
...
... client issue the SECINFO call such that it is protected with a
security flavor that has integrity protection, such as RPCSEC_GSS
...
... integrity protection, such as RPCSEC_GSS
with a security triple that uses either rpc_gss_svc_integrity or
rpc_gss_svc_privacy ...
... NFS4ERR_FHEXPIRED = 10014,/* filehandle expired */
NFS4ERR_SHARE_DENIED = 10015,/* share reserve denied */
NFS4ERR_WRONGSEC = 10016,/* wrong security flavor */
NFS4ERR_CLID_INUSE = 10017,/* clientid in use */
...
...
/*
* SECINFO: Obtain Available Security Mechanisms
*/
struct SECINFO4args {
...
... NFS Version 2 and Version 3 Security Issues and the NFS Protocol's Use of RPCSEC_GSS and Kerberos ...
... Linn, J., "Generic Security Service Application Program Interface, Version 2, Update 1", RFC 2743prop ...
... Chiu, A., Eisler, M. and B. Callaghan, "Security Negotiation for WebNFS" , RFC 2755, June 2000. ...