From: Chuck Lever <chuck.lever@oracle.com>
Subject: Re: Security negotiation
Date: Fri, 10 Jul 2009 14:57:18 -0400
Message-ID: <D8976FEC-39F9-4FF4-8FCE-AB3D5B047DFB@oracle.com>
References: <4A578372.1020005@excfb.com>
Mime-Version: 1.0 (Apple Message framework v935.3)
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Cc: linux-nfs@vger.kernel.org
To: Tom Haynes <tdh-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org>
Return-path: <linux-nfs-owner@vger.kernel.org>
Received: from rcsinet11.oracle.com ([148.87.113.123]:22680 "EHLO
	rgminet11.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754269AbZGJS53 (ORCPT
	<rfc822;linux-nfs@vger.kernel.org>); Fri, 10 Jul 2009 14:57:29 -0400
In-Reply-To: <4A578372.1020005-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org>
Sender: linux-nfs-owner@vger.kernel.org
List-ID: <linux-nfs.vger.kernel.org>


On Jul 10, 2009, at 2:07 PM, Tom Haynes wrote:

> During a NFSv3 mount request, the server returns an array of  
> supported security flavors.
>
> With a Linux server, exports(5) states:
>
> For the purposes of security  flavor  negotiation, order counts:  
> preferred flavors should be listed first.
>
> And the Solaris client states in mount_nfs(1M):
>
>    NFS Version 3 mounts negotiate a security mode when the server  
> returns an array of security modes. The
>    client picks the first mode in the array that is supported on the  
> client. In negotiations, an NFS Version 3 client
>    is limited to the security flavors listed in /etc/nfssec.conf.
>
> The Linux nfs(5) states:
>
>    If the sec option is not specified, or if sec=sys is specified,  
> the NFS client uses the AUTH_SYS
>    security flavor for  all  NFS  requests on this mount point.
>
> So, I'm trying to understand what the Linux client would do if the  
> export does not support AUTH_SYS and
> there is no sec= supplied.
>
> Does the Linux client traverse the array in order until it finds a  
> match or does it consider which flavor is strongest?

The legacy mount command does this (kernels earlier than 2.6.23) but  
the kernel mount client does not yet.  I intend to submit patches for  
this (today, actually) for 2.6.32.

The patches will walk the auth_list returned by mountd.  By default it  
will look for AUTH_SYS, otherwise it will look for the flavor  
specified by the sec= mount option.

If mountd does not provide AUTH_SYS a mount request with no sec= will  
fail.  Should it try the first one in the list instead?  What if the  
first one is AUTH_NULL?

--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com