rsync and kerberos - Tools

This is a discussion on rsync and kerberos - Tools ; I would like to use gssapi authentication in rsync. GSSAPI is the standard way to use kerberos. My idea is not too have a full pam implementation, juste a different way to authenticate users than the secret file and md4 ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: rsync and kerberos

  1. rsync and kerberos

    I would like to use gssapi authentication in rsync. GSSAPI is the
    standard way to use kerberos.

    My idea is not too have a full pam implementation, juste a different
    way to authenticate users than the secret file and md4 challenge.

    I made a little experiment and it worked well.

    What I've done is changing the challenge command. Instead of sending
    @RSYNCD: AUTHREQD , it just send "@RSYNCD: GSSAPI. Then
    gssapi bytes are exchanged and the user principal is returned instead
    of the rsync login. So the changes are small.

    Before submiting a full patch, I seek advice, do you think it's a good
    way to do that ? Some configuration files needes to be changed, the
    protocol must be changed, is there some best practice about that ?

    Any help and advice is welcome.
    --
    Please use reply-all for most replies to avoid omitting the mailing list.
    To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


  2. Re: rsync and kerberos

    On Fri, 2008-08-22 at 17:57 +0200, Bacchella Fabrice wrote:
    > I would like to use gssapi authentication in rsync. GSSAPI is the
    > standard way to use kerberos.
    >
    > My idea is not too have a full pam implementation, juste a different
    > way to authenticate users than the secret file and md4 challenge.
    >
    > I made a little experiment and it worked well.
    >
    > What I've done is changing the challenge command. Instead of sending
    > @RSYNCD: AUTHREQD , it just send "@RSYNCD: GSSAPI. Then
    > gssapi bytes are exchanged and the user principal is returned instead
    > of the rsync login. So the changes are small.
    >
    > Before submiting a full patch, I seek advice, do you think it's a good
    > way to do that ? Some configuration files needes to be changed, the
    > protocol must be changed, is there some best practice about that ?
    >
    > Any help and advice is welcome.


    If you can use ssh then use ssh+GSSAPI auth and you will have to change
    nothing.

    But kerberizing the protocol itself is a *very* good idea, especially if
    you use also use singing and sealing using GSSAPI.

    I very much look forward any patch in this area, and I hope other rsync
    developers can help you to chape them down so that they can rapidly be
    accepted upstream.
    I'd be happy also to test patches when they are ready if you post them
    somewhere.

    Simo.

    --
    Simo Sorce * Red Hat, Inc * New York

    --
    Please use reply-all for most replies to avoid omitting the mailing list.
    To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


  3. Re: rsync and kerberos


    Le 22 août 08 à 19:24, Simo Sorce a écrit :
    >
    > If you can use ssh then use ssh+GSSAPI auth and you will have to
    > change
    > nothing.


    I'm already using that solution. But the cost in performance is very
    high, more than just the CPU needed to encrypt and decrypt.--
    Please use reply-all for most replies to avoid omitting the mailing list.
    To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


  4. Re: rsync and kerberos

    On Mon, Aug 25, 2008 at 06:58:38PM +0200, Bacchella Fabrice wrote:
    > This patch only add gssapi authentication, I wanted it to be simple and
    > fast to code.


    Thanks! I've saved it off and will give it a look soon.

    ...wayne..
    --
    Please use reply-all for most replies to avoid omitting the mailing list.
    To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


  5. Re: rsync and kerberos


    Le 26 août 08 à 04:03, Wayne Davison a écrit :

    > On Mon, Aug 25, 2008 at 06:58:38PM +0200, Bacchella Fabrice wrote:
    >> This patch only add gssapi authentication, I wanted it to be simple
    >> and
    >> fast to code.

    >
    > Thanks! I've saved it off and will give it a look soon.


    Please fell free to send back any recommendation. It's a first draft
    and I accept any recommendation or best practices guidlines.--
    Please use reply-all for most replies to avoid omitting the mailing list.
    To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


  6. Re: rsync and kerberos

    Still working on my gss patch.

    Here a more polished patch against rsync-3.0.3. It should work out of
    the box.

    I tested it on Solaris 10 x86 (64 bits compilation), Mac OS 10.5 (32
    but not 64 bits), Linux (Gentoo with MIT Kerberos 64 bits).

    To use it :
    add this to your module configuration :
    use gssapi = yes
    auth users =


    --
    Please use reply-all for most replies to avoid omitting the mailing list.
    To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


  7. Re: rsync and kerberos

    On Fri, 2008-08-29 at 18:50 +0200, Bacchella Fabrice wrote:
    > Still working on my gss patch.


    Please remember to attach the updated patch!

    To generate a single diff, you can "git add" the files you added/changed
    and then run "git diff HEAD". You could also look into maintaining a
    git repository containing your change on the Web.

    Matt

    --
    Please use reply-all for most replies to avoid omitting the mailing list.
    To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iEYEABECAAYFAki4f+UACgkQC+xSYN/RlfvxswCgjuz9yOkdHUhi8DYwjJalgGbA
    OtsAn02wi/AA0lS8PbfQzTZCIebG5Ccm
    =ngD/
    -----END PGP SIGNATURE-----


  8. Re: rsync and kerberos

    Reading your patch, one quick comment.

    It seem to me you define host/ in RSYNC_GSS_SERVICE, wouldn't it be
    better to have an rsync specific service principal like:
    rsync/full.host.name@REALM ?

    The host principal should not be abused and it is good practice to have
    your own service (and therefore a separate keytab/secret for separate
    services).

    HTTP, FTP, NFS, etc... they all use their own service principal.

    Simo.

    On Sat, 2008-08-30 at 05:29 +0200, Bacchella Fabrice wrote:
    > Indeed. Thanks for the type about git.
    >
    > The diffs against 3.0.3 & git :
    >
    >
    >
    >
    > Le 30 août 08 Ã* 01:02, Matt McCutchen a écrit :
    >
    > > On Fri, 2008-08-29 at 18:50 +0200, Bacchella Fabrice wrote:
    > >> Still working on my gss patch.

    > >
    > > Please remember to attach the updated patch!
    > >
    > > To generate a single diff, you can "git add" the files you added/
    > > changed
    > > and then run "git diff HEAD". You could also look into maintaining a
    > > git repository containing your change on the Web.
    > >
    > > Matt

    >
    > --
    > Please use reply-all for most replies to avoid omitting the mailing list.
    > To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    > Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

    --
    Simo Sorce * Red Hat, Inc * New York

    --
    Please use reply-all for most replies to avoid omitting the mailing list.
    To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


  9. Re: rsync and kerberos

    Ok, that's really a question for which I have no answer. Do you have
    any links that explain the purpose of host/ nfs/ and all ? I don't see
    exactly what are there for.


    Le 30 août 08 à 07:00, Simo Sorce a écrit :

    > Reading your patch, one quick comment.
    >
    > It seem to me you define host/ in RSYNC_GSS_SERVICE, wouldn't it be
    > better to have an rsync specific service principal like:
    > rsync/full.host.name@REALM ?
    >
    > The host principal should not be abused and it is good practice to
    > have
    > your own service (and therefore a separate keytab/secret for separate
    > services).
    >
    > HTTP, FTP, NFS, etc... they all use their own service principal.
    >
    > Simo.
    >
    > On Sat, 2008-08-30 at 05:29 +0200, Bacchella Fabrice wrote:
    >> Indeed. Thanks for the type about git.
    >>
    >> The diffs against 3.0.3 & git :
    >>
    >>
    >>
    >>
    >> Le 30 août 08 à 01:02, Matt McCutchen a écrit :
    >>
    >>> On Fri, 2008-08-29 at 18:50 +0200, Bacchella Fabrice wrote:
    >>>> Still working on my gss patch.
    >>>
    >>> Please remember to attach the updated patch!
    >>>
    >>> To generate a single diff, you can "git add" the files you added/
    >>> changed
    >>> and then run "git diff HEAD". You could also look into
    >>> maintaining a
    >>> git repository containing your change on the Web.
    >>>
    >>> Matt

    >>
    >> --
    >> Please use reply-all for most replies to avoid omitting the mailing
    >> list.
    >> To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    >> Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

    > --
    > Simo Sorce * Red Hat, Inc * New York
    >


    --
    Please use reply-all for most replies to avoid omitting the mailing list.
    To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


  10. Re: rsync and kerberos

    They are used to identify a specific service on a machine.
    using a different prefix you end up with a different principal name.
    For example: HTTP/www.example.com@EXAMPLE.COM and
    FTP/www.example.com@EXAMPLE.COM

    Different principal names means different kerberos secrets, and the
    possibility to use different kerberos keytabs like:
    /etc/httpd/http.keytab and /etc/ftp/ftp.keytab

    If the permissions on the file is strict and allow access only to the
    respective http and ftp user it means that compromise of one service
    does not allow to get access to the keytab of another service.

    The host/fqdn@REALM keytab is used to identify the host. The 2 services
    that use it are usually SSH and pam_krb5 (to double check the KDC is
    legitimate).

    The first part is totally arbitrary so you can freely choose to use
    rsync/ or maybe RSYNC/.
    You could make the keytab file and principal name configurable.
    Best option is to make the principal name be rsync/ and keep the keytab
    somewhere located where the rest of the rsync daemon configuration files
    are placed, and with permissions on the keytab file to be 400 with
    ownership of the user used to run the rsyncd daemon.

    If you make the principal configurable the client too will need a way to
    specify the principal name or at the very least the service prefix.

    Simo.


    On Sat, 2008-08-30 at 12:27 +0200, Bacchella Fabrice wrote:
    > Ok, that's really a question for which I have no answer. Do you have
    > any links that explain the purpose of host/ nfs/ and all ? I don't see
    > exactly what are there for.
    >
    >
    > Le 30 août 08 Ã* 07:00, Simo Sorce a écrit :
    >
    > > Reading your patch, one quick comment.
    > >
    > > It seem to me you define host/ in RSYNC_GSS_SERVICE, wouldn't it be
    > > better to have an rsync specific service principal like:
    > > rsync/full.host.name@REALM ?
    > >
    > > The host principal should not be abused and it is good practice to
    > > have
    > > your own service (and therefore a separate keytab/secret for separate
    > > services).
    > >
    > > HTTP, FTP, NFS, etc... they all use their own service principal.
    > >
    > > Simo.
    > >
    > > On Sat, 2008-08-30 at 05:29 +0200, Bacchella Fabrice wrote:
    > >> Indeed. Thanks for the type about git.
    > >>
    > >> The diffs against 3.0.3 & git :
    > >>
    > >>
    > >>
    > >>
    > >> Le 30 août 08 Ã* 01:02, Matt McCutchen a écrit :
    > >>
    > >>> On Fri, 2008-08-29 at 18:50 +0200, Bacchella Fabrice wrote:
    > >>>> Still working on my gss patch.
    > >>>
    > >>> Please remember to attach the updated patch!
    > >>>
    > >>> To generate a single diff, you can "git add" the files you added/
    > >>> changed
    > >>> and then run "git diff HEAD". You could also look into
    > >>> maintaining a
    > >>> git repository containing your change on the Web.
    > >>>
    > >>> Matt
    > >>
    > >> --
    > >> Please use reply-all for most replies to avoid omitting the mailing
    > >> list.
    > >> To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    > >> Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

    > > --
    > > Simo Sorce * Red Hat, Inc * New York
    > >

    >

    --
    Simo Sorce * Red Hat, Inc * New York

    --
    Please use reply-all for most replies to avoid omitting the mailing list.
    To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


  11. Re: rsync and kerberos


    Le 30 août 08 à 16:33, Simo Sorce a écrit :


    > If the permissions on the file is strict and allow access only to the
    > respective http and ftp user it means that compromise of one service
    > does not allow to get access to the keytab of another service.


    Ok, that's me point I missed about that the prefix usage. Thanks.

    > You could make the keytab file and principal name configurable.
    > Best option is to make the principal name be rsync/ and keep the
    > keytab
    > somewhere located where the rest of the rsync daemon configuration
    > files
    > are placed, and with permissions on the keytab file to be 400 with
    > ownership of the user used to run the rsyncd daemon.



    Yes, I do totally agree. But the keytab is a pure kerberos thing, so
    how can it be specified using gssapi ? MIT-Kerberos use environnement
    variable for example. How do others ?

    Anyway I'm OK for changing the service name.

    --
    Please use reply-all for most replies to avoid omitting the mailing list.
    To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


  12. Re: rsync and kerberos

    On Sat, 2008-08-30 at 17:09 +0200, Bacchella Fabrice wrote:

    > Yes, I do totally agree. But the keytab is a pure kerberos thing, so
    > how can it be specified using gssapi ? MIT-Kerberos use environnement
    > variable for example. How do others ?


    Usually setting the environment variable is the used method. Either in
    init scripts, or by using setenv()

    > Anyway I'm OK for changing the service name.


    Cool.

    Thanks,
    Simo.

    --
    Simo Sorce * Red Hat, Inc * New York

    --
    Please use reply-all for most replies to avoid omitting the mailing list.
    To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


  13. Re: rsync and kerberos

    I juste posted my patch against the last release, with a mini HOWTO
    here :

    http://devel.asyd.net/xwiki/bin/view/krsync/

    Le 31 août 08 à 15:46, Simo Sorce a écrit :

    > On Sat, 2008-08-30 at 17:09 +0200, Bacchella Fabrice wrote:
    >
    >> Yes, I do totally agree. But the keytab is a pure kerberos thing, so
    >> how can it be specified using gssapi ? MIT-Kerberos use environnement
    >> variable for example. How do others ?

    >
    > Usually setting the environment variable is the used method. Either in
    > init scripts, or by using setenv()
    >
    >> Anyway I'm OK for changing the service name.

    >
    > Cool.
    >
    > Thanks,
    > Simo.
    >
    > --
    > Simo Sorce * Red Hat, Inc * New York
    >


    --
    Please use reply-all for most replies to avoid omitting the mailing list.
    To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


+ Reply to Thread