linux内核文件翻译- RPCSEC_GSS内核RPC服务器支持
2013-11-03 14:24
489 查看
Chinese translated version of Documentation/namespaces/resource-control.txt
If you have any comment or update to the content, please contact the
original document maintainer directly. However, if you have a problem
communicating in English you can also ask the Chinese maintainer for
help. Contact the Chinese maintainer if this translation is outdated
or if there is a problem with the translation.
Chinese maintainer: 田雨 479103577@qq.com
---------------------------------------------------------------------
Documentation/namespaces/resource-control.txt 的中文翻译
如果想评论或更新本文的内容,请直接联系原文档的维护者。如果你使用英文
交流有困难的话,也可以向中文版维护者求助。如果本翻译更新不及时或者翻
译存在问题,请联系中文版维护者。
中文版维护者: 田雨 479103577@qq.com
中文版翻译者: 田雨 479103577@qq.com
中文版校译者: 田雨 479103577@qq.com
rpcsec_gss support for kernel RPC servers
3 =========================================
4 RPCSEC_GSS内核RPC服务器支持
5 This document gives references to the standards and protocols used to
6 implement RPCGSS authentication in kernel RPC servers such as the NFS
7 server and the NFS client's NFSv4.0 callback server. (But note that
8 NFSv4.1 and higher don't require the client to act as a server for the
9 purposes of authentication.)
10 本文给出了参考的标准和协议,用于
实施RPCGSS验证在内核如NFS RPC服务器
服务器和NFS客户端的NFSv4.0回调服务器。 (但请注意
的NFSv4.1和较高的不要求客户端作为一个为服务器
认证目的的。)
11 RPCGSS is specified in a few IETF documents:
12 - RFC2203 v1: http://tools.ietf.org/rfc/rfc2203.txt
13 - RFC5403 v2: http://tools.ietf.org/rfc/rfc5403.txt
14 and there is a 3rd version being proposed:
15 - http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt
16 (At draft n. 02 at the time of writing)
17 RPCGSS几个IETF文档中指定:
- RFC2203 V1:http://tools.ietf.org/rfc/rfc2203.txt
- RFC5403 V2:http://tools.ietf.org/rfc/rfc5403.txt
,有一个第三版本的建议:
- http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt
(草案在N。02在写作的时候)
17
18 Background
19 背景----------
20
21 The RPCGSS Authentication method describes a way to perform GSSAPI
22 Authentication for NFS. Although GSSAPI is itself completely mechanism
23 agnostic, in many cases only the KRB5 mechanism is supported by NFS
24 implementations.
25 的RPCGSS验证方法描述的方式来执行GSSAPI
验证NFS。尽管GSSAPI机制本身是完全
无关,在许多情况下,只有KRB5机制得到NFS
实现。
26 The Linux kernel, at the moment, supports only the KRB5 mechanism, and
27 depends on GSSAPI extensions that are KRB5 specific.
28 Linux内核的那一刻,只支持KRB5机制,
KRB5特定于的GSSAPI扩展,取决于。
29 GSSAPI is a complex library, and implementing it completely in kernel is
30 unwarranted. However GSSAPI operations are fundementally separable in 2
31 parts:
32 - initial context establishment
33 - integrity/privacy protection (signing and encrypting of individual
34 packets)
35 GSSAPI是一个复杂的库,完全实现它在内核
莫须有。然而GSSAPI操作fundementally可分离2
份:
- 初始上下文建立
- 诚信/隐私保护(个人的签名和加密
34包)
36 The former is more complex and policy-independent, but less
37 performance-sensitive. The latter is simpler and needs to be very fast.
38 前者是更为复杂和政策无关,但较少
性能敏感。后者则是简单的,并需要是非常快的。
39 Therefore, we perform per-packet integrity and privacy protection in the
40 kernel, but leave the initial context establishment to userspace. We
41 need upcalls to request userspace to perform context establishment.
42 因此,我们在执行每个数据包的完整性和私密性保护
内核,但离开初始上下文建立到用户空间。我们
需要的向上调用要求用户空间执行上下文建立。
43 NFS Server Legacy Upcall Mechanism
44 -NFS服务器传统的upcall机制---------------------------------
45
46 The classic upcall mechanism uses a custom text based upcall mechanism
47 to talk to a custom daemon called rpc.svcgssd that is provide by the
48 nfs-utils package.
49 经典的向上调用机制使用一个自定义的文本为基础的向上调用机制
谈论到一个自定义的守护程序rpc.svcgssd提供
NFS-utils软件包。
50 This upcall mechanism has 2 limitations:
51 这种向上调用机制有2个限制:
52 A) It can handle tokens that are no bigger than 2KiB
53 它可以处理令牌不大于2KiB
54 In some Kerberos deployment GSSAPI tokens can be quite big, up and
55 beyond 64KiB in size due to various authorization extensions attacked to
56 the Kerberos tickets, that needs to be sent through the GSS layer in
57 order to perform context establishment.
58 在一些Kerberos部署GSSAPI令牌可以相当大,和
的大小因不同的授权扩展超越64KiB袭击
Kerberos票证,需要通过的GSS层在要发送
为了执行上下文建立。
59 B) It does not properly handle creds where the user is member of more
60 than a few housand groups (the current hard limit in the kernel is 65K
61 groups) due to limitation on the size of the buffer that can be send
62 back to the kernel (4KiB).
63 B)不正确处理用户的信任状,更多的成员
比几housand组(目前在内核中的硬限制是65K
个组),由于限制的缓冲区的大小,可以向其发送
回内核(4KiB)。
64 NFS Server New RPC Upcall Mechanism
65 NFS服务器RPC向上调用机制-----------------------------------
66
67 The newer upcall mechanism uses RPC over a unix socket to a daemon
68 called gss-proxy, implemented by a userspace program called Gssproxy.
69 新的upcall机制UNIX套接字使用RPC over守护
所谓的GSS-代理,由一个用户空间程序称为Gssproxy的实施。
70 The gss_proxy RPC protocol is currently documented here:
71 RPC协议gss_proxy目前记录在这里:
72 https://fedorahosted.org/gss-proxy/wiki/ProtocolDocumentation
73
74 This upcall mechanism uses the kernel rpc client and connects to the gssproxy
75 userspace program over a regular unix socket. The gssproxy protocol does not
76 suffer from the size limitations of the legacy protocol.
77 种向上调用机制使用内核RPC客户端和连接到gssproxy的
的程序比普通的Unix套接字。 gssproxy协议不
遭受遗留协议的大小限制。
78 Negotiating Upcall Mechanisms
79 谈判的upcall机制 -----------------------------
80
81 To provide backward compatibility, the kernel defaults to using the
82 legacy mechanism. To switch to the new mechanism, gss-proxy must bind
83 to /var/run/gssproxy.sock and then write "1" to
84 /proc/net/rpc/use-gss-proxy. If gss-proxy dies, it must repeat both
85 steps.
86 以提供向后兼容性,内核默认使用
传统机制。要切换到新的机制,GSS-代理必须绑定
到/ var /运行/ gssproxy.sock,然后写“1”
的/ proc/ NET/ RPC/使用GSS代理的。如果GSS代理死亡,都必须重复
步骤。
87
If you have any comment or update to the content, please contact the
original document maintainer directly. However, if you have a problem
communicating in English you can also ask the Chinese maintainer for
help. Contact the Chinese maintainer if this translation is outdated
or if there is a problem with the translation.
Chinese maintainer: 田雨 479103577@qq.com
---------------------------------------------------------------------
Documentation/namespaces/resource-control.txt 的中文翻译
如果想评论或更新本文的内容,请直接联系原文档的维护者。如果你使用英文
交流有困难的话,也可以向中文版维护者求助。如果本翻译更新不及时或者翻
译存在问题,请联系中文版维护者。
中文版维护者: 田雨 479103577@qq.com
中文版翻译者: 田雨 479103577@qq.com
中文版校译者: 田雨 479103577@qq.com
rpcsec_gss support for kernel RPC servers
3 =========================================
4 RPCSEC_GSS内核RPC服务器支持
5 This document gives references to the standards and protocols used to
6 implement RPCGSS authentication in kernel RPC servers such as the NFS
7 server and the NFS client's NFSv4.0 callback server. (But note that
8 NFSv4.1 and higher don't require the client to act as a server for the
9 purposes of authentication.)
10 本文给出了参考的标准和协议,用于
实施RPCGSS验证在内核如NFS RPC服务器
服务器和NFS客户端的NFSv4.0回调服务器。 (但请注意
的NFSv4.1和较高的不要求客户端作为一个为服务器
认证目的的。)
11 RPCGSS is specified in a few IETF documents:
12 - RFC2203 v1: http://tools.ietf.org/rfc/rfc2203.txt
13 - RFC5403 v2: http://tools.ietf.org/rfc/rfc5403.txt
14 and there is a 3rd version being proposed:
15 - http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt
16 (At draft n. 02 at the time of writing)
17 RPCGSS几个IETF文档中指定:
- RFC2203 V1:http://tools.ietf.org/rfc/rfc2203.txt
- RFC5403 V2:http://tools.ietf.org/rfc/rfc5403.txt
,有一个第三版本的建议:
- http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt
(草案在N。02在写作的时候)
17
18 Background
19 背景----------
20
21 The RPCGSS Authentication method describes a way to perform GSSAPI
22 Authentication for NFS. Although GSSAPI is itself completely mechanism
23 agnostic, in many cases only the KRB5 mechanism is supported by NFS
24 implementations.
25 的RPCGSS验证方法描述的方式来执行GSSAPI
验证NFS。尽管GSSAPI机制本身是完全
无关,在许多情况下,只有KRB5机制得到NFS
实现。
26 The Linux kernel, at the moment, supports only the KRB5 mechanism, and
27 depends on GSSAPI extensions that are KRB5 specific.
28 Linux内核的那一刻,只支持KRB5机制,
KRB5特定于的GSSAPI扩展,取决于。
29 GSSAPI is a complex library, and implementing it completely in kernel is
30 unwarranted. However GSSAPI operations are fundementally separable in 2
31 parts:
32 - initial context establishment
33 - integrity/privacy protection (signing and encrypting of individual
34 packets)
35 GSSAPI是一个复杂的库,完全实现它在内核
莫须有。然而GSSAPI操作fundementally可分离2
份:
- 初始上下文建立
- 诚信/隐私保护(个人的签名和加密
34包)
36 The former is more complex and policy-independent, but less
37 performance-sensitive. The latter is simpler and needs to be very fast.
38 前者是更为复杂和政策无关,但较少
性能敏感。后者则是简单的,并需要是非常快的。
39 Therefore, we perform per-packet integrity and privacy protection in the
40 kernel, but leave the initial context establishment to userspace. We
41 need upcalls to request userspace to perform context establishment.
42 因此,我们在执行每个数据包的完整性和私密性保护
内核,但离开初始上下文建立到用户空间。我们
需要的向上调用要求用户空间执行上下文建立。
43 NFS Server Legacy Upcall Mechanism
44 -NFS服务器传统的upcall机制---------------------------------
45
46 The classic upcall mechanism uses a custom text based upcall mechanism
47 to talk to a custom daemon called rpc.svcgssd that is provide by the
48 nfs-utils package.
49 经典的向上调用机制使用一个自定义的文本为基础的向上调用机制
谈论到一个自定义的守护程序rpc.svcgssd提供
NFS-utils软件包。
50 This upcall mechanism has 2 limitations:
51 这种向上调用机制有2个限制:
52 A) It can handle tokens that are no bigger than 2KiB
53 它可以处理令牌不大于2KiB
54 In some Kerberos deployment GSSAPI tokens can be quite big, up and
55 beyond 64KiB in size due to various authorization extensions attacked to
56 the Kerberos tickets, that needs to be sent through the GSS layer in
57 order to perform context establishment.
58 在一些Kerberos部署GSSAPI令牌可以相当大,和
的大小因不同的授权扩展超越64KiB袭击
Kerberos票证,需要通过的GSS层在要发送
为了执行上下文建立。
59 B) It does not properly handle creds where the user is member of more
60 than a few housand groups (the current hard limit in the kernel is 65K
61 groups) due to limitation on the size of the buffer that can be send
62 back to the kernel (4KiB).
63 B)不正确处理用户的信任状,更多的成员
比几housand组(目前在内核中的硬限制是65K
个组),由于限制的缓冲区的大小,可以向其发送
回内核(4KiB)。
64 NFS Server New RPC Upcall Mechanism
65 NFS服务器RPC向上调用机制-----------------------------------
66
67 The newer upcall mechanism uses RPC over a unix socket to a daemon
68 called gss-proxy, implemented by a userspace program called Gssproxy.
69 新的upcall机制UNIX套接字使用RPC over守护
所谓的GSS-代理,由一个用户空间程序称为Gssproxy的实施。
70 The gss_proxy RPC protocol is currently documented here:
71 RPC协议gss_proxy目前记录在这里:
72 https://fedorahosted.org/gss-proxy/wiki/ProtocolDocumentation
73
74 This upcall mechanism uses the kernel rpc client and connects to the gssproxy
75 userspace program over a regular unix socket. The gssproxy protocol does not
76 suffer from the size limitations of the legacy protocol.
77 种向上调用机制使用内核RPC客户端和连接到gssproxy的
的程序比普通的Unix套接字。 gssproxy协议不
遭受遗留协议的大小限制。
78 Negotiating Upcall Mechanisms
79 谈判的upcall机制 -----------------------------
80
81 To provide backward compatibility, the kernel defaults to using the
82 legacy mechanism. To switch to the new mechanism, gss-proxy must bind
83 to /var/run/gssproxy.sock and then write "1" to
84 /proc/net/rpc/use-gss-proxy. If gss-proxy dies, it must repeat both
85 steps.
86 以提供向后兼容性,内核默认使用
传统机制。要切换到新的机制,GSS-代理必须绑定
到/ var /运行/ gssproxy.sock,然后写“1”
的/ proc/ NET/ RPC/使用GSS代理的。如果GSS代理死亡,都必须重复
步骤。
87
相关文章推荐
- linux内核文件翻译-Mount options for ADFS
- linux-3.4.6内核添加yaffs2文件系统支持后编译出错
- Linux下查看当前内核系统支持的文件系统
- 第二部分 s3c2440 移植linux内核 添加网卡支持 yaffs2文件系统支持
- 0K6410学习之移植linux内核支持yaffs2文件系统
- 配置Linux内核支持yaffs2文件系统---基于S5PV210
- 【移植Linux 3.4.2内核之四】修改内核代码支持YAFFS文件系统
- linux内核文件翻译-Fault Injection故障注入
- Linux内核Makefile.txt文件翻译 3.9.5
- linux-2.6.35内核移植—yaffs2文件系统的支持
- 如何知道Linux内核当前支持哪些文件系统?
- Linux内核移植和根文件系统制作
- Linux内核Makefile文件
- Linux2.6X内核中文件相关结构体总结
- Linux 内核编程之文件系统(二)
- 使用 /proc 文件系统来访问 Linux 内核的内容
- Linux LinuxMint (Ubuntu Ver) 安装exfat 文件系统支持
- linux下使用AES cbc加解密文件源码,支持所有类型文件
- 用Linux 2.6内核中的文件系统变化通知机制inotify可实现跨机文件同步
- 使用 /proc 文件系统来访问 Linux 内核的内容