Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/openafsServer: automatic extraction of authentication keys from Kerberos 5 service keytab #337101

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

nixos/openafsServer: automatic extraction of authentication keys from Kerberos 5 service keytab #337101

wants to merge 2 commits into from

Conversation

nessdoor
Copy link
Contributor

@nessdoor nessdoor commented Aug 24, 2024
edited
Loading

Description of changes

Contemporary OpenAFS cells authenticate both users and servers by relying on an existing Kerberos infrastructure. For legacy and compatibility reasons, OpenAFS servers do not use Kerberos 5 service keytabs directly, but instead rely on an OpenAFS-specific keyring located at /etc/openafs/server/KeyFileExt. This keyring must be filled and managed imperatively by way of the asetkey command.

To make matters more complicated, asetkey expects the administrator to be aware of the internal numerical encoding used by Kerberos 5 to represent encryption key types, and requires this information to be entered for each key that is added to the keyring via asetkey add (see asetkey(8)).

This PR introduces an automatic mechanism that, given an ordinary Kerberos 5 keytab, parses it for the AFS service keys (identified by a user-configured principal) and automatically constructs a KeyFileExt from these, declaratively and without any further user interaction. The AFS administrator only has to assign the runtime path of the keytab to the services.openafsServer.authentication.keytab option and, if needed, indicate the Kerberos 5 principal of the AFS service by setting the value of services.openafsServer.authentication.principal.

The legacy behavior is retained by default or by explicitly setting services.openafsServer.authentication.keytab = null.

This improvement constitutes a further step towards achieving complete AFS automatic deployment, easing the configuration of machines with volatile root partitions, and implementing automated tests.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: documentation This PR adds or changes documentation 8.has: changelog 8.has: module (update) This PR changes an existing module in `nixos/` labels Aug 24, 2024
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Aug 24, 2024
@nessdoor nessdoor requested a review from spacefrogg November 13, 2024 13:58
@nessdoor nessdoor added the backport release-24.11 Backport PR automatically label Nov 15, 2024
@nessdoor nessdoor requested a review from spacefrogg November 15, 2024 16:27
spacefrogg
spacefrogg suggested changes Nov 15, 2024
View reviewed changes
nixos/modules/services/network-filesystems/openafs/server.nix Outdated
"|/etc/openafs/server/KeyFileExt"
];
preStart = ''
mkdir -m 0755 -p /var/openafs
${optionalString (netInfo != null) "cp ${netInfo} /var/openafs/netInfo"}
${optionalString useBuCellServDB "cp ${buCellServDB}"}
'' + lib.optionalString (cfg.authentication.keytab != null) ''
rm -f /etc/openafs/server/KeyFileExt
${asetkeyScript}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just noticed that asetkeyScript never calls asetkey when the configured principal is not in the keytable or the keytable cannot be read. Thus, KeyFileExt never gets created. Please, make preStart fail with a descriptive error message in that case.

@spacefrogg spacefrogg removed the backport release-24.11 Backport PR automatically label Nov 15, 2024
@nessdoor nessdoor force-pushed the openafs-keytab branch 2 times, most recently from a06e68e to 3dc63f1 Compare November 19, 2024 12:25
@nessdoor nessdoor requested a review from spacefrogg November 19, 2024 12:34
@nessdoor
Copy link
Contributor Author

nessdoor commented Nov 19, 2024
edited
Loading

I have modified the AWK script to exit with an error if it could not find any key for the given principal.
I have also modified the wrapping script to be more sensible to errors (set -eo pipefail).
I tested the whole pipeline locally, and it seems to be working as intended.

I also took the liberty of retargeting the release notes for 25.05 instead of 24.11.

spacefrogg
spacefrogg approved these changes Nov 28, 2024
View reviewed changes
Copy link
Contributor

@spacefrogg spacefrogg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good!

@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one reputable person label Nov 29, 2024
@wegank wegank added the 2.status: merge conflict This PR has merge conflicts with the target branch label Dec 10, 2024
@nessdoor
nixos/openafsServer: add authentication.{principal/keytab} option
50fb36c 
Allow users to set a Kerberos 5 keytab from which to automatically extract the
authentication keys necessary for AFS operations.
@nessdoor
doc: add release notes for the openafsServer.authentication options
5827cbd
@nessdoor
Copy link
Contributor Author

Resolved merge conflict on release notes and server.nix post-reformat, and reformatted changes to comply with the new rules.
All other modifications left unchanged.

@nessdoor nessdoor removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Dec 30, 2024
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/5030

@wegank wegank removed the 12.approvals: 1 This PR was reviewed and approved by one reputable person label Dec 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spacefrogg spacefrogg spacefrogg approved these changes

@maggesi maggesi Awaiting requested review from maggesi

@andersk andersk Awaiting requested review from andersk

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nessdoor @nixos-discourse @spacefrogg @wegank