From: Chuck Lever III <chuck.lever@oracle.com>
To: Jeff Layton <jlayton@kernel.org>
Cc: Chuck Lever <cel@kernel.org>, Steve Dickson <SteveD@redhat.com>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH v1 4/4] exports.man: Add description of xprtsec= to exports(5)
Date: Tue, 21 Mar 2023 14:08:55 +0000 [thread overview]
Message-ID: <00B8D419-0F7F-43FB-8DA1-5C6BD93DE1A7@oracle.com> (raw)
In-Reply-To: <fdfa374a7d5072c9b4606476b52f049a6a165ef9.camel@kernel.org>
> On Mar 21, 2023, at 8:06 AM, Jeff Layton <jlayton@kernel.org> wrote:
>
> On Mon, 2023-03-20 at 10:35 -0400, Chuck Lever wrote:
>> From: Chuck Lever <chuck.lever@oracle.com>
>>
>> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
>> ---
>> utils/exportfs/exports.man | 45 +++++++++++++++++++++++++++++++++++++++++++-
>> 1 file changed, 44 insertions(+), 1 deletion(-)
>>
>> diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
>> index 54b3f8776ea6..cca9bb7b4aeb 100644
>> --- a/utils/exportfs/exports.man
>> +++ b/utils/exportfs/exports.man
>> @@ -125,7 +125,49 @@ In that case you may include multiple sec= options, and following options
>> will be enforced only for access using flavors listed in the immediately
>> preceding sec= option. The only options that are permitted to vary in
>> this way are ro, rw, no_root_squash, root_squash, and all_squash.
>> +.SS Transport layer security
>> +The Linux NFS server supports the use of transport layer security to
>> +protect RPC traffic between itself and its clients.
>> +This can be in the form of a VPN, an ssh tunnel, or via RPC-with-TLS,
>> +which uses TLSv1.3.
>
> This is a little awkward, as the NFS server really isn't involved at all
> at that level in the case of a VPN or ssh tunnel. How about:
>
> The Linux NFS server supports transport layer security (TLS) to protect
> RPC traffic between itself and its clients via RPC-with-TLS which uses
> TLSv1.3. Alternately, RPC traffic can be secured via a VPN, ssh tunnel
> or similar mechanism that encrypts traffic in a way that is transparent
> to the server.
Sure, that expresses what I was after.
>> .PP
>> +Administrators may choose to require the use of
>> +RPC-with-TLS to protect access to individual exports.
>> +This is particularly useful when using non-cryptographic security
>> +flavors such as
>> +.IR sec=sys .
>> +The
>> +.I xprtsec=
>> +option, followed by a colon-delimited list of security policies,
>> +can restrict access to the export to only clients that have negotiated
>> +transport-layer security.
>> +Currently supported transport layer security policies include:
>> +.TP
>> +.IR none
>> +The server permits clients to access the export
>> +without the use of transport layer security.
>> +.TP
>> +.IR tls
>> +The server permits clients that have negotiated an RPC-with-TLS session
>> +without peer authentication (confidentiality only) to access the export.
>> +Clients are not required to offer an x.509 certificate
>> +when establishing a transport layer security session.
>> +.TP
>> +.IR mtls
>> +The server permits clients that have negotiated an RPC-with-TLS session
>> +with peer authentication to access the export.
>> +The server requires clients to offer an x.509 certificate
>> +when establishing a transport layer security session.
>> +.PP
>> +The default setting is
>> +.IR xprtsec=none:tls:mtls .
>
> Shouldn't that list order be reversed? IOW, shouldn't we default to mtls
> first since it's more secure?
>
> It might also be good to spell out what the kernel does with an ordered
> list here. In what order are these methods attempted and at what point
> does the server give up?
There's no order to this list. It's simply a list of
transport layer security settings that the server will
permit clients to use on this transport.
The "ordered list" concept is from the MNT protocol.
For xprtsec, there's no communication or negotiation
of preferences with clients.
>> +This is also known as "opportunistic mode".
>> +The server permits clients to use any transport layer security mechanism
>> +to access the export.
>> +.PP
>> +The server administrator must install and configure
>> +.BR tlshd
>> +to handle transport layer security handshake requests from the local kernel.
>
> In the event that tlshd isn't running, what happens? I assume we give up
> on TLS at that point, but how long does it take for the kernel to
> realize that it's not there?
If tlshd is not running, the handshake request fails immediately.
There's no timeout needed thanks to netlink multi-cast.
>> .SS General Options
>> .BR exportfs
>> understands the following export options:
>> @@ -581,7 +623,8 @@ a character class wildcard match.
>> .BR netgroup (5),
>> .BR mountd (8),
>> .BR nfsd (8),
>> -.BR showmount (8).
>> +.BR showmount (8),
>> +.BR tlshd (8).
>> .\".SH DIAGNOSTICS
>> .\"An error parsing the file is reported using syslogd(8) as level NOTICE from
>> .\"a DAEMON whenever
>>
>>
>
> --
> Jeff Layton <jlayton@kernel.org>
--
Chuck Lever
next prev parent reply other threads:[~2023-03-21 14:09 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-20 14:35 [PATCH v1 0/4] nfs-utils changes for RPC-with-TLS server Chuck Lever
2023-03-20 14:35 ` [PATCH v1 1/4] libexports: Fix whitespace damage in support/nfs/exports.c Chuck Lever
2023-03-20 14:35 ` [PATCH v1 2/4] exports: Add an xprtsec= export option Chuck Lever
2023-03-21 11:55 ` Jeff Layton
2023-03-21 18:08 ` Chuck Lever III
2023-03-21 18:58 ` Jeff Layton
2023-03-23 17:53 ` Steve Dickson
2023-03-23 17:55 ` Chuck Lever III
2023-03-20 14:35 ` [PATCH v1 3/4] exportfs: Push xprtsec settings to the kernel Chuck Lever
2023-03-20 14:35 ` [PATCH v1 4/4] exports.man: Add description of xprtsec= to exports(5) Chuck Lever
2023-03-21 12:06 ` Jeff Layton
2023-03-21 14:08 ` Chuck Lever III [this message]
2023-03-21 15:11 ` Jeff Layton
2023-03-21 11:52 ` [PATCH v1 0/4] nfs-utils changes for RPC-with-TLS server Jeff Layton
2023-03-23 17:57 ` Steve Dickson
2023-03-23 18:01 ` Chuck Lever III
2023-03-24 18:35 ` Steve Dickson
2023-03-24 19:50 ` Chuck Lever III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00B8D419-0F7F-43FB-8DA1-5C6BD93DE1A7@oracle.com \
--to=chuck.lever@oracle.com \
--cc=SteveD@redhat.com \
--cc=cel@kernel.org \
--cc=jlayton@kernel.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).