Hassles with getting our NFS mount authentication working on Linux

November 3, 2014

Our existing Solaris NFS fileservers have a custom NFS mount authentication method to do relatively strong authentication of a machine's identity before we allow it to establish a NFS mount from us. For various reasons we've started looking at doing NFS service from Linux machines and so we need to implement some version of our NFS mount authentication for them (ideally one that looks exactly the same from the client side).

Our existing Solaris mechanism uses a NSS netgroup module that does the authentication as part of checking netgroup membership. Given that Linux has NSS modules and /etc/nsswitch.conf and so on, I figured that this would be the easiest and most natural way to implement our system on Linux. Unfortunately this ran into the roadblock that you can't write a NSS module that implements netgroups without using internal glibc headers that define an internal glibc struct that your functions must manipulate. In effect you can't write NSS netgroup modules at all.

(Since this is an internal header glibc is free to change the structure at any time and thereby make your existing compiled module silently binary incompatible.)

This leaves me trying to figure out the best alternate approach. Right now I can think of three:

  • Modify mountd itself, since we have the source code. The two drawbacks to this is that we have to figure out where (and how) to modify the mountd source and then we have to keep our hack up to date as new versions of mountd are released. This implies we'd be replacing a standard Ubuntu or CentOS package with a local version, which doesn't make me really happy.

  • Switch to IPSec for clients that need NFS mount authentication. The obvious drawbacks are that this is likely to be (much) slower and we have to get IPSec working, probably in its more complex form with IKE.

  • Use a firewall based mechanism to block access to the server's NFS and mountd daemons until a client has been authenticated (this might be a good use for ipsets). The drawback of this approach is that it requires the most custom software on the server and probably the client. I'd like some way to intercept mount requests, trigger our actions, and then let the mount request go on, but I don't know if that's even possible (or at least possible without deep netfilter hacks).

I plan to ask the linux-nfs mailing list if they have any clever ideas that I'm missing or any opinions on the best approach to do this, although I suspect that they'll tell me to use IPSec (it's the obvious solution apart from the performance hit).

The whole situation with glibc mis-managing NSS netgroup support irritates me. NSS is theoretically supposed to enable people to add their own modules but glibc has crippled this part of it for no good reason and made our life significantly more painful in the process. I'd report this as a bug to the glibc people except that the idea of reporting any 'features missing or misimplemented' issue to glibc is utterly laughable; not only would my problems not get solved any time soon even in the best case, but historically it has been an excellent way to get abused.

(While there are NSS modules outside of glibc I don't believe that any of them support netgroups, just things like users and groups and passwords. Not that glibc even really documents how to write those sorts of NSS modules either.)

Written on 03 November 2014.
« What I'm worried about with retina displays on Linux
The weakness of doing authentication over a side channel »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Nov 3 23:44:39 2014
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.