]>
Commit | Line | Data |
---|---|---|
a5f7e223 AM |
1 | |
2 | Allow nfs versions 2 and 3 to mount with -osec=krb5. | |
3 | ||
4 | ||
5 | --- | |
6 | ||
7 | util-linux-2.12-bfields/mount/nfs.5 | 37 +++++++++----- | |
8 | util-linux-2.12-bfields/mount/nfs_mount4.h | 18 ++++++- | |
9 | util-linux-2.12-bfields/mount/nfsmount.c | 74 ++++++++++++++++++++++++++++- | |
10 | 3 files changed, 112 insertions(+), 17 deletions(-) | |
11 | ||
12 | diff -puN mount/nfs.5~krb5 mount/nfs.5 | |
13 | --- util-linux-2.12/mount/nfs.5~krb5 2004-10-13 14:15:03.000000000 -0400 | |
14 | +++ util-linux-2.12-bfields/mount/nfs.5 2004-10-13 14:15:03.000000000 -0400 | |
15 | @@ -165,7 +165,7 @@ mount daemon program number. | |
16 | Use an alternate RPC version number to contact the | |
17 | mount daemon on the remote host. This option is useful | |
18 | for hosts that can run multiple NFS servers. | |
19 | -The default value is version 1. | |
20 | +The default value depends on which kernel you are using. | |
21 | .TP 1.5i | |
22 | .I nfsprog=n | |
23 | Use an alternate RPC program number to contact the | |
24 | @@ -178,7 +178,7 @@ NFS daemon program number. | |
25 | Use an alternate RPC version number to contact the | |
26 | NFS daemon on the remote host. This option is useful | |
27 | for hosts that can run multiple NFS servers. | |
28 | -The default value is version 2. | |
29 | +The default value depends on which kernel you are using. | |
30 | .TP 1.5i | |
31 | .I nolock | |
32 | Disable NFS locking. Do not start lockd. | |
33 | @@ -230,9 +230,25 @@ Suppress the retrieval of new attributes | |
34 | .TP 1.5i | |
35 | .I noac | |
36 | Disable all forms of attribute caching entirely. This extracts a | |
37 | -server performance penalty but it allows two different NFS clients | |
38 | -to get reasonable good results when both clients are actively | |
39 | -writing to common filesystem on the server. | |
40 | +significant performance penalty but it allows two different NFS clients | |
41 | +to get reasonable results when both clients are actively | |
42 | +writing to a common export on the server. | |
43 | +.TP 1.5i | |
44 | +.I sec=mode | |
45 | +Set the security flavor for this mount to "mode". | |
46 | +The default setting is \f3sec=sys\f1, which uses local | |
47 | +unix uids and gids to authenticate NFS operations (AUTH_SYS). | |
48 | +Other currently supported settings are: | |
49 | +\f3sec=krb5\f1, which uses Kerberos V5 instead of local unix uids | |
50 | +and gids to authenticate users; | |
51 | +\f3sec=krb5i\f1, which uses Kerberos V5 for user authentication | |
52 | +and performs integrity checking of NFS operations using secure | |
53 | +checksums to prevent data tampering; and | |
54 | +\f3sec=krb5p\f1, which uses Kerberos V5 for user authentication | |
55 | +and integrity checking, and encrypts NFS traffic to prevent | |
56 | +traffic sniffing (this is the most secure setting). | |
57 | +Note that there is a performance penalty when using integrity | |
58 | +or privacy. | |
59 | .TP 1.5i | |
60 | .I tcp | |
61 | Mount the NFS filesystem using the TCP protocol instead of the | |
62 | @@ -347,15 +363,8 @@ causes the client to use a specific call | |
63 | communicating with an NFS version 4 server. | |
64 | This option is currently ignored. | |
65 | .TP 1.5i | |
66 | -.I sec=n | |
67 | -Specify an advanced security mechanism for this file system. | |
68 | -To use Kerberos 5 mutual authentication, specify | |
69 | -.IR krb5 . | |
70 | -Kerberos 5 integrity checking is specified with | |
71 | -.IR krb5i , | |
72 | -and Kerberos 5 privacy is specified with | |
73 | -.IR krb5p . | |
74 | -Other security mechanisms may become available in the future. | |
75 | +.I sec=mode | |
76 | +Same as \f3sec=mode\f1 for the nfs filesystem type (see above). | |
77 | .TP 1.5i | |
78 | .I bg | |
79 | If an NFS mount attempt times out, retry the mount | |
80 | diff -puN mount/nfs_mount4.h~krb5 mount/nfs_mount4.h | |
81 | --- util-linux-2.12/mount/nfs_mount4.h~krb5 2004-10-13 14:15:03.000000000 -0400 | |
82 | +++ util-linux-2.12-bfields/mount/nfs_mount4.h 2004-10-13 14:16:45.000000000 -0400 | |
83 | @@ -8,7 +8,7 @@ | |
84 | * so it is easiest to ignore the kernel altogether (at compile time). | |
85 | */ | |
86 | ||
87 | -#define NFS_MOUNT_VERSION 4 | |
88 | +#define NFS_MOUNT_VERSION 5 | |
89 | ||
90 | struct nfs2_fh { | |
91 | char data[32]; | |
92 | @@ -36,6 +36,7 @@ struct nfs_mount_data { | |
93 | int namlen; /* 2 */ | |
94 | unsigned int bsize; /* 3 */ | |
95 | struct nfs3_fh root; /* 4 */ | |
96 | + int pseudoflavor; /* 5 */ | |
97 | }; | |
98 | ||
99 | /* bits in the flags field */ | |
100 | @@ -51,4 +52,19 @@ struct nfs_mount_data { | |
101 | #define NFS_MOUNT_KERBEROS 0x0100 /* 3 */ | |
102 | #define NFS_MOUNT_NONLM 0x0200 /* 3 */ | |
103 | #define NFS_MOUNT_BROKEN_SUID 0x0400 /* 4 */ | |
104 | +#define NFS_MOUNT_SECFLAVOUR 0x2000 /* 5 */ | |
105 | + | |
106 | +/* security pseudoflavors */ | |
107 | + | |
108 | +#ifndef AUTH_GSS_KRB5 | |
109 | +#define AUTH_GSS_KRB5 390003 | |
110 | +#define AUTH_GSS_KRB5I 390004 | |
111 | +#define AUTH_GSS_KRB5P 390005 | |
112 | +#define AUTH_GSS_LKEY 390006 | |
113 | +#define AUTH_GSS_LKEYI 390007 | |
114 | +#define AUTH_GSS_LKEYP 390008 | |
115 | +#define AUTH_GSS_SPKM 390009 | |
116 | +#define AUTH_GSS_SPKMI 390010 | |
117 | +#define AUTH_GSS_SPKMP 390011 | |
118 | +#endif | |
119 | ||
120 | diff -puN mount/nfsmount.c~krb5 mount/nfsmount.c | |
121 | --- util-linux-2.12/mount/nfsmount.c~krb5 2004-10-13 14:15:03.000000000 -0400 | |
122 | +++ util-linux-2.12-bfields/mount/nfsmount.c 2004-10-13 14:16:46.000000000 -0400 | |
123 | @@ -109,6 +109,8 @@ typedef struct { | |
124 | static const struct timeval TIMEOUT = { 20, 0 }; | |
125 | static const struct timeval RETRY_TIMEOUT = { 3, 0 }; | |
126 | ||
127 | +static int nfs_call_umount(clnt_addr_t *mnt_server, dirpath *argp); | |
128 | + | |
129 | /* Define the order in which to probe for UDP/TCP services */ | |
130 | static const u_int * | |
131 | proto_probelist(const int use_tcp) | |
132 | @@ -211,8 +213,10 @@ find_kernel_nfs_mount_version(void) { | |
133 | mnt_version = 4; /* since 2.2.18pre9 */ | |
134 | else if (kernel_version < MAKE_VERSION(2,3,99)) | |
135 | mnt_version = 3; | |
136 | + else if (kernel_version < MAKE_VERSION(2,6,0)) | |
137 | + mnt_version = 4; | |
138 | else | |
139 | - mnt_version = 4; /* since 2.3.99pre4 */ | |
140 | + mnt_version = 5; | |
141 | } | |
142 | if (mnt_version > NFS_MOUNT_VERSION) | |
143 | mnt_version = NFS_MOUNT_VERSION; | |
144 | @@ -596,6 +600,40 @@ parse_options(char *old_opts, struct nfs | |
145 | #endif | |
146 | } else if (!sloppy) | |
147 | goto bad_parameter; | |
148 | +#if NFS_MOUNT_VERSION >= 5 | |
149 | + } else if (!strcmp(opt, "sec")) { | |
150 | + char *secflavor = opteq+1; | |
151 | + /* see RFC 2623 */ | |
152 | + if (nfs_mount_version < 5) { | |
153 | + printf(_("Warning: ignoring sec=%s option\n"), secflavor); | |
154 | + continue; | |
155 | + } else if (!strcmp(secflavor, "sys")) | |
156 | + data->pseudoflavor = AUTH_SYS; | |
157 | + else if (!strcmp(secflavor, "krb5")) | |
158 | + data->pseudoflavor = AUTH_GSS_KRB5; | |
159 | + else if (!strcmp(secflavor, "krb5i")) | |
160 | + data->pseudoflavor = AUTH_GSS_KRB5I; | |
161 | + else if (!strcmp(secflavor, "krb5p")) | |
162 | + data->pseudoflavor = AUTH_GSS_KRB5P; | |
163 | + else if (!strcmp(secflavor, "lipkey")) | |
164 | + data->pseudoflavor = AUTH_GSS_LKEY; | |
165 | + else if (!strcmp(secflavor, "lipkey-i")) | |
166 | + data->pseudoflavor = AUTH_GSS_LKEYI; | |
167 | + else if (!strcmp(secflavor, "lipkey-p")) | |
168 | + data->pseudoflavor = AUTH_GSS_LKEYP; | |
169 | + else if (!strcmp(secflavor, "spkm3")) | |
170 | + data->pseudoflavor = AUTH_GSS_SPKM; | |
171 | + else if (!strcmp(secflavor, "spkm3i")) | |
172 | + data->pseudoflavor = AUTH_GSS_SPKMI; | |
173 | + else if (!strcmp(secflavor, "spkm3p")) | |
174 | + data->pseudoflavor = AUTH_GSS_SPKMP; | |
175 | + else if (!sloppy) { | |
176 | + printf(_("Warning: Unrecognized security flavor %s.\n"), | |
177 | + secflavor); | |
178 | + goto bad_parameter; | |
179 | + } | |
180 | + data->flags |= NFS_MOUNT_SECFLAVOUR; | |
181 | +#endif | |
182 | } else if (!strcmp(opt, "mounthost")) | |
183 | mounthost=xstrndup(opteq+1, | |
184 | strcspn(opteq+1," \t\n\r,")); | |
185 | @@ -745,7 +783,7 @@ nfsmount(const char *spec, const char *n | |
186 | mntres_t mntres; | |
187 | ||
188 | struct stat statbuf; | |
189 | - char *s, *p; | |
190 | + char *s; | |
191 | int bg, retry; | |
192 | int retval; | |
193 | time_t t; | |
194 | @@ -809,6 +847,7 @@ nfsmount(const char *spec, const char *n | |
195 | #if NFS_MOUNT_VERSION >= 2 | |
196 | data.namlen = NAME_MAX; | |
197 | #endif | |
198 | + data.pseudoflavor = AUTH_SYS; | |
199 | ||
200 | bg = 0; | |
201 | retry = 10000; /* 10000 minutes ~ 1 week */ | |
202 | @@ -847,6 +886,9 @@ nfsmount(const char *spec, const char *n | |
203 | printf("tcp = %d\n", | |
204 | (data.flags & NFS_MOUNT_TCP) != 0); | |
205 | #endif | |
206 | +#if NFS_MOUNT_VERSION >= 5 | |
207 | + printf("sec = %u\n", data.pseudoflavor); | |
208 | +#endif | |
209 | #endif | |
210 | ||
211 | data.version = nfs_mount_version; | |
212 | @@ -949,7 +991,9 @@ nfsmount(const char *spec, const char *n | |
213 | #endif | |
214 | } else { | |
215 | #if NFS_MOUNT_VERSION >= 4 | |
216 | + mountres3_ok *mountres; | |
217 | fhandle3 *fhandle; | |
218 | + int i, *flavor, yum = 0; | |
219 | if (mntres.nfsv3.fhs_status != 0) { | |
220 | fprintf(stderr, | |
221 | _("mount: %s:%s failed, reason given by server: %s\n"), | |
222 | @@ -957,6 +1001,32 @@ nfsmount(const char *spec, const char *n | |
223 | nfs_strerror(mntres.nfsv3.fhs_status)); | |
224 | goto fail; | |
225 | } | |
226 | +#if NFS_MOUNT_VERSION >= 5 | |
227 | + mountres = &mntres.nfsv3.mountres3_u.mountinfo; | |
228 | + i = mountres->auth_flavours.auth_flavours_len; | |
229 | + if (i <= 0) | |
230 | + goto noauth_flavours; | |
231 | + | |
232 | + flavor = mountres->auth_flavours.auth_flavours_val; | |
233 | + while (--i >= 0) { | |
234 | + if (flavor[i] == data.pseudoflavor) | |
235 | + yum = 1; | |
236 | +#ifdef NFS_MOUNT_DEBUG | |
237 | + printf("auth flavor %d: %d\n", | |
238 | + i, flavor[i]); | |
239 | +#endif | |
240 | + } | |
241 | + if (!yum) { | |
242 | + fprintf(stderr, | |
243 | + "mount: %s:%s failed, " | |
244 | + "security flavor not supported\n", | |
245 | + hostname, dirname); | |
246 | + /* server has registered us in mtab, send umount */ | |
247 | + nfs_call_umount(&mnt_server, &dirname); | |
248 | + goto fail; | |
249 | + } | |
250 | +noauth_flavours: | |
251 | +#endif | |
252 | fhandle = &mntres.nfsv3.mountres3_u.mountinfo.fhandle; | |
253 | memset(data.old_root.data, 0, NFS_FHSIZE); | |
254 | memset(&data.root, 0, sizeof(data.root)); | |
255 | _ |