rpc.gssd(8) System Manager's Manual rpc.gssd(8) NAME rpc.gssd - RPCSEC_GSS daemon SYNOPSIS rpc.gssd [-DfMnlvr] [-k keytab] [-p pipefsdir] [-d ccachedir] [-t timeout] [-R realm] INTRODUCTION The RPCSEC_GSS protocol, defined in RFC 5403, is used to provide strong security for RPC- based protocols such as NFS. Before exchanging RPC requests using RPCSEC_GSS, an RPC client must establish a GSS secu- rity context. A security context is shared state on each end of a network transport that enables GSS-API security services. Security contexts are established using security credentials. A credential grants tempo- rary access to a secure network service, much as a railway ticket grants temporary access to use a rail service. A user typically obtains a credential by providing a password to the kinit(1) command, or via a PAM library at login time. A credential acquired with a user principal is known as a user credential (see kerberos(1) for more on principals). For certain operations, a credential is required which represents no user, is otherwise unprivileged, and is always available. This is referred to as a machine credential. Machine credentials are typically established using a service principal, whose encrypted password, called its key, is stored in a file, called a keytab, to avoid requiring a user prompt. A machine credential effectively does not expire because the system can renew it as needed without user intervention. Once obtained, credentials are typically stored in local temporary files with well-known pathnames. DESCRIPTION To establish GSS security contexts using these credential files, the Linux kernel RPC client depends on a userspace daemon called rpc.gssd. The rpc.gssd daemon uses the rpc_pipefs filesystem to communicate with the kernel. User Credentials When a user authenticates using a command such as kinit(1), the resulting credential is stored in a file with a well-known name constructed using the user's UID. To interact with an NFS server on behalf of a particular Kerberos-authenticated user, the Linux kernel RPC client requests that rpc.gssd initialize a security context with the cre- dential in that user's credential file. Typically, credential files are placed in /tmp. However, rpc.gssd can search for creden- tial files in more than one directory. See the description of the -d option for details. Machine Credentials A user credential is established by a user and is then shared with the kernel and rpc.gssd. A machine credential is established by rpc.gssd for the kernel when there is no user. Therefore rpc.gssd must already have the materials on hand to establish this cre- dential without requiring user intervention. rpc.gssd searches the local system's keytab for a principal and key to use to establish the machine credential. By default, rpc.gssd assumes the file /etc/krb5.keytab contains principals and keys that can be used to obtain machine credentials. rpc.gssd searches in the following order for a principal to use. The first matching cre- dential is used. For the search, <hostname> and <REALM> are replaced with the local sys- tem's hostname and Kerberos realm. <HOSTNAME>$@<REALM> root/<hostname>@<REALM> nfs/<hostname>@<REALM> host/<hostname>@<REALM> root/<anyname>@<REALM> nfs/<anyname>@<REALM> host/<anyname>@<REALM> The <anyname> entries match on the service name and realm, but ignore the hostname. These can be used if a principal matching the local host's name is not found. Note that the first principal in the search order is a user principal that enables Kerber- ized NFS when the local system is joined to an Active Directory domain using Samba. A password for this principal must be provided in the local system's keytab. You can specify another keytab by using the -k option if /etc/krb5.keytab does not exist or does not provide one of these principals. Credentials for UID 0 UID 0 is a special case. By default rpc.gssd uses the system's machine credentials for UID 0 accesses that require GSS authentication. This limits the privileges of the root user when accessing network resources that require authentication. Specify the -n option when starting rpc.gssd if you'd like to force the root user to ob- tain a user credential rather than use the local system's machine credential. When -n is specified, the kernel continues to request a GSS context established with a ma- chine credential for NFSv4 operations, such as SETCLIENTID or RENEW, that manage state. If rpc.gssd cannot obtain a machine credential (say, the local system has no keytab), NFSv4 operations that require machine credentials will fail. Encryption types A realm administrator can choose to add keys encoded in a number of different encryption types to the local system's keytab. For instance, a host/ principal might have keys for the aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, and arcfour-hmac en- cryption types. This permits rpc.gssd to choose an appropriate encryption type that the target NFS server supports. These encryption types are stronger than legacy single-DES encryption types. To interop- erate in environments where servers support only weak encryption types, you can restrict your client to use only single-DES encryption types by specifying the -l option when starting rpc.gssd. OPTIONS -D The server name passed to GSSAPI for authentication is normally the name exactly as requested. e.g. for NFS it is the server name in the "servername:/path" mount re- quest. Only if this servername appears to be an IP address (IPv4 or IPv6) or an unqualified name (no dots) will a reverse DNS lookup will be performed to get the canoncial server name. If -D is present, a reverse DNS lookup will always be used, even if the server name looks like a canonical name. So it is needed if partially qualified, or non canon- ical names are regularly used. Using -D can introduce a security vulnerability, so it is recommended that -D not be used, and that canonical names always be used when requesting services. -f Runs rpc.gssd in the foreground and sends output to stderr (as opposed to syslogd) -n When specified, UID 0 is forced to obtain user credentials which are used instead of the local system's machine credentials. -k keytab Tells rpc.gssd to use the keys found in keytab to obtain machine credentials. The default value is /etc/krb5.keytab. -l When specified, restricts rpc.gssd to sessions to weak encryption types such as des-cbc-crc. This option is available only when the local system's Kerberos li- brary supports settable encryption types. -p path Tells rpc.gssd where to look for the rpc_pipefs filesystem. The default value is /var/lib/nfs/rpc_pipefs. -d search-path This option specifies a colon separated list of directories that rpc.gssd searches for credential files. The default value is /tmp:/run/user/%U. The literal se- quence "%U" can be specified to substitue the UID of the user for whom credentials are being searched. -M By default, machine credentials are stored in files in the first directory in the credential directory search path (see the -d option). When -M is set, rpc.gssd stores machine credentials in memory instead. -v Increases the verbosity of the output (can be specified multiple times). -r If the RPCSEC_GSS library supports setting debug level, increases the verbosity of the output (can be specified multiple times). -R realm Kerberos tickets from this realm will be preferred when scanning available creden- tials cache files to be used to create a context. By default, the default realm, as configured in the Kerberos configuration file, is preferred. -t timeout Timeout, in seconds, for kernel GSS contexts. This option allows you to force new kernel contexts to be negotiated after timeout seconds, which allows changing Ker- beros tickets and identities frequently. The default is no explicit timeout, which means the kernel context will live the lifetime of the Kerberos service ticket used in its creation. -T timeout Timeout, in seconds, to create an RPC connection with a server while establishing an authenticated gss context for a user. The default timeout is set to 5 seconds. If you get messages like "WARNING: can't create tcp rpc_clnt to server %servername% for user with uid %uid%: RPC: Remote system error - Connection timed out", you should consider an increase of this timeout. SEE ALSO rpc.svcgssd(8), kerberos(1), kinit(1), krb5.conf(5) AUTHORS Dug Song <dugsong AT umich.edu> Andy Adamson <andros AT umich.edu> Marius Aamodt Eriksen <marius AT umich.edu> J. Bruce Fields <bfields AT umich.edu> 20 Feb 2013 rpc.gssd(8)
Generated by $Id: phpMan.php,v 4.55 2007/09/05 04:42:51 chedong Exp $ Author: Che Dong
On Apache
Under GNU General Public License
2024-04-19 22:38 @3.135.183.89 CrawledBy Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)