1 9/29/2016 Kerberos Authentication with the Linux Kernel CIFS Client Jeff Layton (Red Hat/Samba Team )

2 9/29/2016 Who am I? ● Member of filesystem engineering team at Red Hat since 2006 ● Joined worldwide Samba team in 2008 ● Primarily work on CIFS and NFS, but I also dabble some in generic VFS layer (and other places) ● Wrote most of the in-kernel parts of the krb5 upcall mechanism for CIFS

3 9/29/2016 Overview Basic Kerberos Configuration for CIFS + krb5 Problems with current implementation Deployment scenarios/recommendations Future improvements

4 9/29/2016 Brief History of Kerberos ● Invented at MIT, first publication of v4 in the 1980's ● v5 published in 1993 ● Most unix-like OS's have had it for years ● Microsoft adopted it as the basis of its authentication model with Windows 2000

5 9/29/2016 What is Kerberos? ● Secure authentication over insecure networks: ● A way for people and machines in the “realm” (aka “domain”) to verify their identity to one another without exposing passwords to the network. ● Relies on a trusted 3 rd party – the Key Distribution Center (KDC) ● All entities (users and services) are considered “principals” to the KDC ● Authentication is mutual

6 9/29/2016 Overview of Krb5 Auth 1) Get Ticket Granting Ticket (TGT) 2) Use TGT to get service ticket 3) Use service ticket to establish server session

7 9/29/2016 Krb5 Principal Format primary: user or service name instance: additional qualifier: usually FQDN for service principals. Often “/admin” for user principals. realm: all principals are unique within a realm. Convention is to use DNS domain name in uppercase.

8 9/29/2016 Examples of Principals User Principals: Service Principals:

9 9/29/2016 GSSAPI and SPNEGO GSSAPI: Generic Security Services Application Programming Interface. A standard plugin interface for authentication schemes. SPNEGO: Simple Protected GSSAPI Negotiation Mechanism. A way for client and server to agree on an authentication method to use.

10 9/29/2016 CIFS krb5 authenticaton Client sends NegProt req with extended security bit set Server replies with list of auth methods that it supports (via SPNEGO) Client sends session setup with SPNEGO blob that contains krb5 ticket

11 9/29/2016 CIFS krb5 mount process 1) mount.cifs reqests krb5 auth 2) cifs calls into keys API for SPNEGO blob 3) keys api calls out to request_key 4) request_key calls cifs.upcall which gets SPNEGO blob

12 9/29/2016 System Reqs for CIFS+Krb5 Linux kernel that supports SPNEGO upcalls Support first went into mainline in Client Configured for krb5 (/etc/krb5.conf) /sbin/request-key Usually part of the “keyutils” package /usr/sbin/cifs.upcall Part of samba package – usually bundled with mount.cifs program Was originally called cifs.spnego

13 9/29/2016 /etc/request-key.conf Tells request-key program what program it should run and how. /etc/request-key.conf: #OPERATION TYPE D C PROGRAM ARG1 ARG2... ========== =========== = = ======================== create cifs.spnego * * /usr/sbin/cifs.upcall -c %k create dns_resolver * * /usr/sbin/cifs.upcall %k

14 9/29/2016 NFS Mount Model “Traditional” network filesystem for unix is NFS User creds are sent to the server in each call No one “owns” the connection to the server

15 9/29/2016 CIFS Mount Model Today Only one CIFS session per mount One set of credentials per CIFS session Other users who use the mount are using the creds for the user who “owns” the mount

16 9/29/2016 Simple Mount with krb5 Get a krb5 ticket for the user as whom you'll be authenticating. Then mount the share with the sec=krb5 option # kinit Password for # mount -t cifs -o sec=krb5 \ //server.example.com/export /mnt/cifs

17 9/29/2016 POSIX Extensions CIFS enables POSIX extensions by default Problems with modes and ownership: uid/gid may not match on client and server uid=/gid= mount options override ownership but not mode. The result is permissions that have no basis in reality. all ops on the server are done using mount creds, but VFS enforces these permissions locally. The client's VFS may limit a user from doing ops that the server would allow

18 9/29/2016 CIFS MultiuserMount When there are multiple sessions to the same server, use one that's owned by my UID Can be enabled via: /proc/fs/cifs/MultiuserMount Problems with this approach: Requires a separate mount for each user Users w/o a mount use “default” creds Permissions and file ownership, writeback...

19 9/29/2016 So there are problems... Summary: POSIX extensions aren't terribly useful as implemented by CIFS VFS...neither is MultiuserMount Recommendations: Limit permissions to the user who owns the creds Maybe disable unix extensions altogether?

20 9/29/2016 User mounts in /etc/fstab mount(8) allows unprivileged users to mount filesystems if: /bin/mount and mount helper are setuid root the user owns the mountpoint mount is in /etc/fstab with “user” option (distinct from user= option that CIFS uses)

21 9/29/2016 User mounts in /etc/fstab /etc/fstab: //server/share /home/testuser/cifs \ sec=krb5,user,nounix,file_mode=0700, \ dir_mode=0700,noauto 0 0 Then, as unprivileged user: kinit Password for mount /home/testuser/cifs

22 9/29/2016 Using autofs Another possibility is to use autofs: jlayton \ -fstype=cifs,sec=krb5,uid=$UID,gid=$GID \ \\\\server.example.com\\jlayton How do we ensure that the “right” user gets the mount?

23 9/29/2016 Using pam_mount Linux PAM module that can mount filesystems on login Users can configure their own set of mounts (within limits set by admin) Most useful when combined with pam_krb5 Need support for passing name of credcache to cifs.upcall

24 9/29/2016 Using pam_cifs Similar to pam_mount, but specific to CIFS Main feature over pam_mount seems to be LDAP integration Would probably be more useful if the ldap integration were just added to pam_mount

25 9/29/2016 Near-term improvements: Tighten up default permissions on mounts w/o POSIX extensions (patch proposed) Don't forcibly override uid/gid when POSIX extensions are enabled (patch proposed) Support for non-default credcaches (RFC patchset proposed) Reverse name resolution support for getting host principals (not yet done)

26 9/29/2016 Future Directions... Unprivileged mounts? Miklos Szeredi is working on some patches for this. Private namespace mounts? In-kernel today, needs better userspace support to make them per-user. How to attach processes that aren't part of “session”? Multi-session CIFS mounts? Establish sessions on the fly. To user, would look more like the way NFS works. How do we handle ownership when POSIX extensions are off?

27 9/29/2016 Future Discussion What mount model makes the most sense to you?