Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-17 10:46:33 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Documentation: nfs: rpc-server-gss: convert to ReST

Browse Source 
Convert rpc-server-gss.txt to ReST. Content remains mostly unchanged.

Signed-off-by: Daniel W. S. Almeida <dwlsalmeida@gmail.com>
Link: https://lore.kernel.org/r/20200129044917.566906-4-dwlsalmeida@gmail.com
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
This commit is contained in:
Daniel W. S. Almeida 2020-01-29 01:49:15 -03:00 committed by Jonathan Corbet
parent f0bf8a988b
commit 250baf06aa
2 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Documentation/filesystems/nfs/index.rst
View File

@ -8,3 +8,4 @@ NFS
pnfs pnfs
rpc-cache rpc-cache
rpc-server-gss

19
Documentation/filesystems/nfs/rpc-server-gss.txt → Documentation/filesystems/nfs/rpc-server-gss.rst
View File

@ -1,4 +1,4 @@
=========================================
rpcsec_gss support for kernel RPC servers rpcsec_gss support for kernel RPC servers
========================================= =========================================
@ -9,14 +9,17 @@ NFSv4.1 and higher don't require the client to act as a server for the
purposes of authentication.) purposes of authentication.)
RPCGSS is specified in a few IETF documents: RPCGSS is specified in a few IETF documents:
- RFC2203 v1: http://tools.ietf.org/rfc/rfc2203.txt - RFC2203 v1: http://tools.ietf.org/rfc/rfc2203.txt
- RFC5403 v2: http://tools.ietf.org/rfc/rfc5403.txt - RFC5403 v2: http://tools.ietf.org/rfc/rfc5403.txt
and there is a 3rd version being proposed: and there is a 3rd version being proposed:
- http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt - http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt
(At draft n. 02 at the time of writing) (At draft n. 02 at the time of writing)
Background Background
---------- ==========
The RPCGSS Authentication method describes a way to perform GSSAPI The RPCGSS Authentication method describes a way to perform GSSAPI
Authentication for NFS. Although GSSAPI is itself completely mechanism Authentication for NFS. Although GSSAPI is itself completely mechanism
@ -29,6 +32,7 @@ depends on GSSAPI extensions that are KRB5 specific.
GSSAPI is a complex library, and implementing it completely in kernel is GSSAPI is a complex library, and implementing it completely in kernel is
unwarranted. However GSSAPI operations are fundementally separable in 2 unwarranted. However GSSAPI operations are fundementally separable in 2
parts: parts:
- initial context establishment - initial context establishment
- integrity/privacy protection (signing and encrypting of individual - integrity/privacy protection (signing and encrypting of individual
packets) packets)
@ -41,7 +45,7 @@ kernel, but leave the initial context establishment to userspace. We
need upcalls to request userspace to perform context establishment. need upcalls to request userspace to perform context establishment.
NFS Server Legacy Upcall Mechanism NFS Server Legacy Upcall Mechanism
---------------------------------- ==================================
The classic upcall mechanism uses a custom text based upcall mechanism The classic upcall mechanism uses a custom text based upcall mechanism
to talk to a custom daemon called rpc.svcgssd that is provide by the to talk to a custom daemon called rpc.svcgssd that is provide by the
@ -62,21 +66,20 @@ groups) due to limitation on the size of the buffer that can be send
back to the kernel (4KiB). back to the kernel (4KiB).
NFS Server New RPC Upcall Mechanism NFS Server New RPC Upcall Mechanism
----------------------------------- ===================================
The newer upcall mechanism uses RPC over a unix socket to a daemon The newer upcall mechanism uses RPC over a unix socket to a daemon
called gss-proxy, implemented by a userspace program called Gssproxy. called gss-proxy, implemented by a userspace program called Gssproxy.
The gss_proxy RPC protocol is currently documented here: The gss_proxy RPC protocol is currently documented `here
<https://fedorahosted.org/gss-proxy/wiki/ProtocolDocumentation>`_.
https://fedorahosted.org/gss-proxy/wiki/ProtocolDocumentation
This upcall mechanism uses the kernel rpc client and connects to the gssproxy This upcall mechanism uses the kernel rpc client and connects to the gssproxy
userspace program over a regular unix socket. The gssproxy protocol does not userspace program over a regular unix socket. The gssproxy protocol does not
suffer from the size limitations of the legacy protocol. suffer from the size limitations of the legacy protocol.
Negotiating Upcall Mechanisms Negotiating Upcall Mechanisms
----------------------------- =============================
To provide backward compatibility, the kernel defaults to using the To provide backward compatibility, the kernel defaults to using the
legacy mechanism. To switch to the new mechanism, gss-proxy must bind legacy mechanism. To switch to the new mechanism, gss-proxy must bind