CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

nfscl: Add a new NFSv4.1/4.2 mount option for Kerberized mounts

Without this patch, a Kerberized NFSv4.1/4.2 mount must provide
a Kerberos credential for the client at mount time.  This credential
is typically referred to as a "machine credential".  It can be
created one of two ways:
- The user (usually root) has a valid TGT at the time the mount
  is done and this becomes the machine credential.
  There are two problems with this.
  1 - The user doing the mount must have a valid TGT for a user
      principal at mount time.  As such, the mount cannot be put
      in fstab(5) or similar.
  2 - When the TGT expires, the mount breaks.
- The client machine has a service principal in its default keytab
  file and this service principal (typically called a host-based
  initiator credential) is used as the machine credential.
  There are problems with this approach as well:
  1 - There is a certain amount of administrative overhead creating
      the service principal for the NFS client, creating a keytab
      entry for this principal and then copying the keytab entry
      into the client's default keytab file via some secure means.
  2 - The NFS client must have a fixed, well known, DNS name, since
      that FQDN is in the service principal name as the instance.

This patch uses a feature of NFSv4.1/4.2 called SP4_NONE, which
allows the state maintenance operations to be performed by any
authentication mechanism, to do these operations via AUTH_SYS
instead of RPCSEC_GSS (Kerberos).  As such, neither of the above
mechanisms is needed.

It is hoped that this option will encourage adoption of Kerberized
NFS mounts using TLS, to provide a more secure NFS mount.

This new NFSv4.1/4.2 mount option, called "syskrb5" must be used
with "sec=krb5[ip]" to avoid the need for either of the above
Kerberos setups to be done by the client.

Note that all file access/modification operations still require
users on the NFS client to have a valid TGT recognized by the
NFSv4.1/4.2 server.  As such, this option allows, at most, a
malicious client to do some sort of DOS attack.

Although not required, use of "tls" with this new option is
encouraged, since it provides on-the-wire encryption plus,
optionally, client identity verification via a X.509
certificate provided to the server during TLS handshake.
Alternately, "sec=krb5p" does provide on-the-wire
encryption of file data.

A mount_nfs(8) man page update will be done in a separate commit.

Discussed on: freebsd-current@
MFC after: 3 months

author	Rick Macklem <rmacklem@FreeBSD.org>
	Thu, 16 Mar 2023 22:55:36 +0000 (15:55 -0700)
committer	Rick Macklem <rmacklem@FreeBSD.org>
	Thu, 16 Mar 2023 22:55:36 +0000 (15:55 -0700)
commit	896516e54a8c39c1c8be3ad918f38fbf196b57ed
tree	116c337528af4ae55f6bc709b628bd94f1263aed	tree \| snapshot
parent	58436df347de665f6bc635a0e3018fc6f3d0a656	commit \| diff

sys/fs/nfs/nfs.h		diff \| blob \| history
sys/fs/nfs/nfs_commonkrpc.c		diff \| blob \| history
sys/fs/nfs/nfs_commonsubs.c		diff \| blob \| history
sys/fs/nfs/nfs_var.h		diff \| blob \| history
sys/fs/nfs/nfsport.h		diff \| blob \| history
sys/fs/nfsclient/nfs_clnode.c		diff \| blob \| history
sys/fs/nfsclient/nfs_clport.c		diff \| blob \| history
sys/fs/nfsclient/nfs_clrpcops.c		diff \| blob \| history
sys/fs/nfsclient/nfs_clvfsops.c		diff \| blob \| history
sys/fs/nfsclient/nfs_clvnops.c		diff \| blob \| history
sys/fs/nfsclient/nfsmount.h		diff \| blob \| history
sys/fs/nfsserver/nfs_nfsdport.c		diff \| blob \| history
sys/fs/nfsserver/nfs_nfsdserv.c		diff \| blob \| history
sys/fs/nfsserver/nfs_nfsdstate.c		diff \| blob \| history