Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp13615582rwl; Wed, 4 Jan 2023 10:28:18 -0800 (PST) X-Google-Smtp-Source: AMrXdXvo1tgjDQVemgf28Ik0gw92tSTGukAhFOvdnPUnZrwnmVrEAnPIuA7If/S1mHMWH1CgxuEZ X-Received: by 2002:a17:902:9a96:b0:192:54f6:fb4c with SMTP id w22-20020a1709029a9600b0019254f6fb4cmr43580298plp.54.1672856898039; Wed, 04 Jan 2023 10:28:18 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1672856898; cv=pass; d=google.com; s=arc-20160816; b=p8A3dSz3KNmfUI+QtgVPBE/VZYlttVA5EZbhiSt5MVqBzhDq9zbnowe0pBW3F8KLdG 7UXgOnEsKjycbXsFAXS0FsePi7A9u6x5B7l8qC3v7ajDxBRBwgY0lwkY0bIAYadSwcEN H3WepQXVRGFRUuyi+/Novq30GhbGMR3JFTXFZU8ECi2Ovf7Fy6V4tbBj7GSjQBNcozpU yd8KS448IMJt3aw+sSyrEeWrR1lZ97RjKpAS4g/Ri6tA9QneDx0e6auFj+iX+kgKngpI c2l15tGZpupdkb1I3Kh+HbaR+2FrC+qJQYz/ro2SwDvei0T245zInJYN2GxW7tH/fLOR vb9Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :content-id:content-language:accept-language:in-reply-to:references :message-id:date:thread-index:thread-topic:subject:cc:to:from :dkim-signature:dkim-signature; bh=HSsEfCHNYxA79Ekbd/qpN4PHkOgDNNIIAz5RdJOkBYI=; b=uWvrx0BNrr2b4s9UYSWbpDsqL2uxv2smnwuvJ2pTr7a9B48WpMeegO3jIrvaD52cw/ m7pUt33FeNgnX2fvru3Q13jvH8uyUqiDgJve4J2NPbTCg/L3UpZyb5vYFapJ/Kn7Lg2m dZY+iAnX9LC9s76Y6/+k8ARGiSpDirOgdvGa5J7xssGbdiZ0czYa8Gr2UdlCgTbRmCKU jRh6YqRS2k1pngkWFmuRH3qrThPzzfdyDQbuWSsNLUm1NUY2+YZFsQF7/Z4v65rkZNKQ dle4EkDozr6GHHjhm66cHzGaKpoYUAExNBGvtM0mH9fzDFMqwvT+wFmm/vUR+9RKwjtX ocOQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=LWIAwePu; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=MkVmRRc9; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w5-20020a170902e88500b00192c8827041si10693915plg.378.2023.01.04.10.27.59; Wed, 04 Jan 2023 10:28:18 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=LWIAwePu; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=MkVmRRc9; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235145AbjADSSu (ORCPT + 99 others); Wed, 4 Jan 2023 13:18:50 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58986 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240202AbjADSGu (ORCPT ); Wed, 4 Jan 2023 13:06:50 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CD288140FC for ; Wed, 4 Jan 2023 10:06:48 -0800 (PST) Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 304FNrRd018995; Wed, 4 Jan 2023 18:06:44 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=corp-2022-7-12; bh=HSsEfCHNYxA79Ekbd/qpN4PHkOgDNNIIAz5RdJOkBYI=; b=LWIAwePupjfpgvFO1xTLbyg1UlteBMvYhq46WEwP72Odp1dKJphXI6AiKXG2wV8Crz2M FsUCuJQsdaw53RJsdXG5ArPniutBCinDWdwIVkU3X6xXJdvrO41RBODAL3FP6f5mwo01 7JJe61Ph73LTSTgL+8Mb+9YHNqKStnAXGZE69ymL7BdCOLzsqB0+ntimN+ybSifntoFz jIk4J14b8Ypu1EKO/FAUBOT4PE8NRlo+ctkeOTrTq8lmLazijv9NtMVuVRiMuVltnSsv x/7B1yD6mG4+o98h0FRJveOLp9g5fgYk4imecKqv6/HbsF8YfHKQtsC0HpBYRCVMJmOc 3A== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3mtd4c787c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 04 Jan 2023 18:06:44 +0000 Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 304HeOUi027030; Wed, 4 Jan 2023 18:06:43 GMT Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2177.outbound.protection.outlook.com [104.47.57.177]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3mwcn6w31k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 04 Jan 2023 18:06:43 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iVg7akyykXGONInXjXdm93ONlu4ogzg+8wxlETm8n200Eg7hrj4Yuy0JVWTSC+oW9Fx1mGi6BxVqwt4kZFlRTxdwJ9C4h1Ky+cul4yXAYJ1L5NM6OUs7eTcs155kKcattdc2NNrpV9A8brdBTWwHc6KEZ3n5nLhoLmGN7yEJei5QjMT2lGwIupWHsQvs8QqImNu99DSz2Nlr5GAhqzsc82RJV+XZ27k0XW7A7jk924E5jAbWwzq4hkhTkZ8fFBEVfPogF2rdOH7mL+G6sy+y87dJXJE9k5nidXp8972f+0ghc2CwbBuvW+qz7+GkOGBN5U+qcRGJxPeYDtnx6ZzDFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HSsEfCHNYxA79Ekbd/qpN4PHkOgDNNIIAz5RdJOkBYI=; b=WjvIdFgsfWSEnZ1l5rMefxgMJNlxzNlKP2qWTf/OFowNDndzgsgWPl+jm9/Wh8fD+rclRfU3SKv/9pbB5nf+5/6sNx2U2XBoDgtdgLv4VpNKt01HpgY/WJCyGoV6o+xyuPfVDa0R1svgMhacEDKDJn4vbrmKBwZhjw3+GmHjYlyMH5aiW78N9p/hydfWYa1BKA4PENYVMFYvcs7SNmWfsgwTfO9gxmKsIMcYrZmHfuDsXVOvW5M0fI/7GMFGzRjv2oVd4zc0MqWM2ZFMhOeNnGNiyhlQDo9hGf/aEvqjyTBZecPxzQ3Rby0S/VA4m9WXObGtrR6uTmxvlmWelxs7Mw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HSsEfCHNYxA79Ekbd/qpN4PHkOgDNNIIAz5RdJOkBYI=; b=MkVmRRc9uDcrriAnt8Zo5wm+ak3OUkyhQ48wQCU045qyiDi5BfCXp7O58fNvMi4cnjLL6R4x7lmbMfqsomS66wEcS56M8+qTVxiGbo3QiIBw5ehuL6emOpOk+okf48wuOJ+ODabNLX8XXiUu3r4A2Z2cdLGANBrBiVqMhfHx0Yg= Received: from BN0PR10MB5128.namprd10.prod.outlook.com (2603:10b6:408:117::24) by SN4PR10MB5575.namprd10.prod.outlook.com (2603:10b6:806:206::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5944.19; Wed, 4 Jan 2023 18:06:41 +0000 Received: from BN0PR10MB5128.namprd10.prod.outlook.com ([fe80::d8a4:336a:21e:40d9]) by BN0PR10MB5128.namprd10.prod.outlook.com ([fe80::d8a4:336a:21e:40d9%4]) with mapi id 15.20.5944.019; Wed, 4 Jan 2023 18:06:40 +0000 From: Chuck Lever III To: Trond Myklebust CC: Rick Macklem , Linux NFS Mailing List Subject: Re: RFC:Doing a NFSv4.1/4.2 Kerberized mount without a machine credential Thread-Topic: RFC:Doing a NFSv4.1/4.2 Kerberized mount without a machine credential Thread-Index: AQHZH9vamVQSE8pdpU+4JSLI/7+74a6NhDYAgAAR0QCAABflgIAAoyIAgAAybACAAAtjgA== Date: Wed, 4 Jan 2023 18:06:40 +0000 Message-ID: <15C694E4-925B-47E6-A054-644A0A142F88@oracle.com> References: <6ed7866da1e57a46da0108e9581242cd7f1ef2ce.camel@kernel.org> <52f00169bb54c082dbffbcbf999c8096cb16d25d.camel@kernel.org> In-Reply-To: <52f00169bb54c082dbffbcbf999c8096cb16d25d.camel@kernel.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: Apple Mail (2.3696.120.41.1.1) x-ms-publictraffictype: Email x-ms-traffictypediagnostic: BN0PR10MB5128:EE_|SN4PR10MB5575:EE_ x-ms-office365-filtering-correlation-id: 7bc186ab-12a9-48aa-2d3c-08daee7e6e2a x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: IQMZ4RLbn9H+X5XcjWekILA+zyZue2S6sU7sHV1BCm5EJO+wdPfeZTyvZFpuw+sBmdV/FjXohyGhRUYTr0IzN17fU4todZlrBVmQxEKJyIORrYXCmSt+2H0ZWoz30x0Nby0i0uzLwTAMh9AjrK96hp1z/fyGg/8AKWHUcMuBreMcxoUqoNXRC/LXystOaA6NDQS8GKuQtzZq5fcVaVu9QGp+7ldWVUHhtKbaq+0JnkpLY4C5tKapiEpz4Jn/3hdhFuiaN67GZGr1tjoZaK4r7Hx2zJ4kqCSKk3/A6jFK3Oytvsb9yMY7MuxzZAxkaR6Zv7FJplC1LwfMykymVId3siF7OQi6pMqko1wZGizAKBtb42VfteTi2ERUYmR93GUeqqiSJkuiaUGBdYqJr04S0AYs3Uwako8wJ3W7/3TJZe+wg9n8wtz+JjW+31kJCaKHUy/9VO5zM98AmUtS4vlfy3bIwVYj3EyvSgSviXi1FcG+ZgXv7N9zEuzNvPbI8UjCQ1zdT/mRdmowTcvAvBZZu++0w2O1gtnPE5f9NfnqOKdoL5OUPtNiaO2noUlwI0i23J053iVlq+YQGuf5UpGOc7MPUugPhxSuAREfCDRwidlsMZ7LTU2PZJUEdAn5LpDxfUqluWXc+a2mECwpDeW4upgD0hfdgLBa6dE05LZOYAzVfMMK1oN1acU8SjOmEf+YYeVq3nbTFaOHrR3pIybAzv1iwOygg0Jc7d1tAvk1Yiw= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN0PR10MB5128.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(39860400002)(396003)(366004)(346002)(376002)(451199015)(38100700002)(36756003)(33656002)(2906002)(5660300002)(86362001)(41300700001)(8936002)(83380400001)(122000001)(6916009)(54906003)(66556008)(71200400001)(6486002)(76116006)(66899015)(38070700005)(66946007)(53546011)(4326008)(6506007)(66476007)(91956017)(478600001)(64756008)(66446008)(8676002)(2616005)(26005)(6512007)(186003)(316002)(45980500001);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?JciiazT8gXWMRTkfWtfINdBZg3ke97VDNVT3W/uAQJ2DcAl1f+6RA8CpNs6H?= =?us-ascii?Q?yq01xANwQzwxbiPe7J6V/IPFONPCo8e9RKz/djkSFEVPFXBtd1qgO3X79GjJ?= =?us-ascii?Q?dtYsGzy80sGMj2PbeBhCvIWNY2EJaDmDiG8qoyaelZG5SzXvbArpW+ULF0LA?= =?us-ascii?Q?OvkoZNe4hrbse7+TddvWY9YG6Od6j9CaFl1cjZClO8lF1fb8sousI3CNelK8?= =?us-ascii?Q?qrXuDtZ7UouQhKTNkHPYLi9fJDzoO/GT7L9E4G53r/xwRSEprtoPwijlJazN?= =?us-ascii?Q?lBxM9yay28kQtdCkygiCGh36D690klCY9RBnSuwyrawT47AWaw2SU94YoYf2?= =?us-ascii?Q?OL5TbdU3noelsTMOO71ba/beEhCB/zscCxHxf58Ik+YHlkIpZS9qFZUPS0H3?= =?us-ascii?Q?U4R8umkceCdMkBBJaAuwNpUxle4Jin3fvy4HX59iA+PE5VGk+hOWT5V1i6Wt?= =?us-ascii?Q?7mq0eavIUnicUWkSQ856e1w4a0B6RSjRHIBUczEQgNdww/9sKg1WLouMD/+P?= =?us-ascii?Q?0MU7t+Z46JVQFUW6WuZNf5HAufEaJbMcv5VSKwFTBJIrWqV3zgaize5aJt7P?= =?us-ascii?Q?IFdfisMwNsEbABncCvmvGD5Zlj7MAjgZIbRcL23Vm8LjDfb5L1ZkMjc//YUw?= =?us-ascii?Q?OaiQqj6f0uYUIszwHP4AOV4PmuYLy4fZcoIXDs9VgkXjHr0t38DQ4j0K2p25?= =?us-ascii?Q?jQ3o3yYY2hl4L42zNYT3XDzeebvOzDjO4bE1/n4Y9/DtEScfzt8P4TzCmqkQ?= =?us-ascii?Q?yNMLa2AErCMw+s5H0Cvjlzjf2ZqC12fqj46L1PcKZVhY6SqKCEKvV4t6wXYb?= =?us-ascii?Q?D2iODKZdi+7+4789C2F6dTdYsPf0OZS9HHjbb0EF5bg7onl2ZgeH6LJuw7i6?= =?us-ascii?Q?YoV57eus53KQIdW24Ac/CCJxJt6JqJUOVNh7CyGaZ3uJJPjjSUEyVBckm7xP?= =?us-ascii?Q?ZwL77YkgakNC9CBlc55iwyNQfdhkeJvZvHdIfAZCXCOfYYyqhAEYu0Z2Jtry?= =?us-ascii?Q?/yeUt0oIjTA361CzW/LJ6zOEazmu/hf+Kfexo0ixhdCNe1zMqmQDiPAqxnJ/?= =?us-ascii?Q?EbtSzNBHrVobozzCeJxwxD4gVW105kuP0hb2PFMtri6D/SnmC+Lid0GlmOwn?= =?us-ascii?Q?Xvj6dE1UyxZUiTKdEZWe81CTdVTd1xqRj5fzxR4MB3dfCQ1btYbtM7MQeFBb?= =?us-ascii?Q?HxkP0JqZW2bKh8cGoQFdMCaoal90DQ+vwlixezWGy/E7PjNFwnt+6zFOo5Ft?= =?us-ascii?Q?g1iAvxIPzdZnVA5nS5CfLVGn07ri/FUA0U3DEFlObmmdzgBKVYB4Cg5u70QY?= =?us-ascii?Q?X0ZpE39n0ioE2keasmC6rFa8Ky/s9kkoU+GCxL5inXdgXowZ4/FlMDzTSGXl?= =?us-ascii?Q?4NvSjq0HidR+LLIIKqk+qWPgGpsi7aw7cdf+5o4IGdbxJnmzEyJV9JyZLwQ4?= =?us-ascii?Q?TKyGFyMTvE1CT5ziJ7LCl2MZpy1tyRGfD6JHO1xyNfLwDcI+6YJxyZ8UFPvg?= =?us-ascii?Q?iYKeoH8tm+UIXps6PpkZQD6ufd1zMoe1AWhmefNUEzXdDsK8tufNkrpTFlht?= =?us-ascii?Q?awhOvIC+UTe4lpWcdzXj+RTwlxJ/rk+HAz9s5y7aXaQuSnjFdWwVhIlhb5d/?= =?us-ascii?Q?zA=3D=3D?= Content-Type: text/plain; charset="us-ascii" Content-ID: <4D74CAAAD2073D46A0C14F827450F317@namprd10.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: Uc1lL8Ta3hzBqsRPsNP1lu3MwQnbyXzekvrqP/5k9BtPZhbVvHZI4vu5p4WK1Z98+TLbixkyqFzC7fWjtrKKHsvLMmVcAXAhCWvf+ZTL3y0J9B4Ot4B3Dw4cvoWlSuacGF42s1C2xLgyq0oh0mQMFHjBTieAXw1svpjX7OuEktR3IikCjXk5rTILv/EHsUAzYYHy9G4/HfaF+fGmlDWy0TpWu7h1rxfszG544ATMpXv1Xixbd1q9uA7esr2QIBx1TazkAJlST+Od5eHbQyHu3odNUb0WRE6MoyU1aBGAx4gLK1llnmd+wAN7sH68vsayo86AF13kPfq949/aH7gip5b+GOLSvFJnUDqUM2ULGObYppx7CqunDRkDGZmpmsTce01/xrrnX7NE8Qt9MtisI5aK5Yy6BAWW/2O2n3U+XNEy70IuwEv4X6r+FTHFFXqdes750lSck67uVzKa18FNpgu+bozVTlxpgPp5ifQ/iTinhPRKT7K6zvPh85OQ3s4yC9YbJXQr75ICphqxwZyNeDtUbrYqKMxv9JRrIwEO3PqGqH+gerJBPLXuobbDjzmF+V5VIBzoN0Rt1oqPY9oS50kp2kqJZAGnUUMZLFPtjAWCScDY/hyw5+BFAMwSUmeEMgXrFBUIoLUZn7VKWy/5stG39FqyqP3Iu+SjXBXqgbilzMdklsDck9VUtO/iRZTfkt1zV6RvilLlYIdGExF88dHsZhr+qEPsBPmDJNgMRMTYcGnOIKqHZme/VsGPkJJ2roYMdz2+fG0tXIWsggUqjM7jTMcYf5exwxyxr9ClyFg+JFbvky9MsRw3M2WCtnk0 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BN0PR10MB5128.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7bc186ab-12a9-48aa-2d3c-08daee7e6e2a X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jan 2023 18:06:40.7425 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: Bb8JurtUU+K0i0q8vOUmNyN4v8VGLaqGf5Fgrc7yN/c9BfBfp4ZceNoSkbKK7XFTSkMi0VMmrXfJCiLacgbdBA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN4PR10MB5575 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2023-01-04_07,2023-01-04_02,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 mlxlogscore=999 phishscore=0 malwarescore=0 suspectscore=0 spamscore=0 mlxscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2301040151 X-Proofpoint-GUID: PW6AD_FDYpuASKQSHmvJV433CUKqpRXY X-Proofpoint-ORIG-GUID: PW6AD_FDYpuASKQSHmvJV433CUKqpRXY X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org > On Jan 4, 2023, at 12:25 PM, Trond Myklebust wrote: >=20 > On Wed, 2023-01-04 at 14:25 +0000, Chuck Lever III wrote: >>=20 >>=20 >>> On Jan 3, 2023, at 11:41 PM, Trond Myklebust >>> wrote: >>>=20 >>> I've been thinking about how to use a public key infrastructure to >>> provide stronger authentication of multiple individual users' RPC >>> calls >>> and multiplexing them across a shared TLS connection. >>>=20 >>> Since the client trusts the server through the TLS connection >>> authentication mechanism, and you have privacy guaranteed by that >>> TLS >>> connection, then really all you want to do is for each RPC call >>> from >>> the client to be able to prove that the caller has a specific valid >>> identity in the PKI chain of trust. >>>=20 >>> So how about just defining a simple credential (AUTH_X509 ?) >>> containing >>> a timestamp, and a distinguished name, and have it be signed using >>> the >>> (trusted) private key of the user? Use the timestamp as the basis >>> for a >>> TTL for the credential so that the client+server don't have to keep >>> signing a new cred for each and every RPC call for that user, and >>> allow >>> the client to reuse the cred for a while as a shared secret, once >>> the >>> signature has been verified by the server. >>=20 >> A laptop typically has a single user. The flexibility of identity >> multiplexing isn't necessary in this particular scenario. >>=20 >=20 > Yeah, I don't particularly care about laptop use cases. Most > enterprises set up VPNs for dealing with them because users typically > need access to more services than just a NFS server. The trend I've seen is that enterprises are moving their important services out of from behind VPNs and into the cloud. Each such service is responsible for providing appropriate levels of authentication and confidentiality via a single-sign on service and an in-transit encryption capability. > I am interested in the general problem of authenticating RPC users > using certificates, since that is becoming more common due to the rise > of S3 object storage and cloud services. While AD and krb5+LDAP can be > extended into those environments too, there are plenty who choose not > to, because PKI is generally sufficient, and can be more flexible. We had SPKM. Would that not work? -- Chuck Lever