freebsd-dev/sys/fs
Rick Macklem 896516e54a nfscl: Add a new NFSv4.1/4.2 mount option for Kerberized mounts
Without this patch, a Kerberized NFSv4.1/4.2 mount must provide
a Kerberos credential for the client at mount time.  This credential
is typically referred to as a "machine credential".  It can be
created one of two ways:
- The user (usually root) has a valid TGT at the time the mount
  is done and this becomes the machine credential.
  There are two problems with this.
  1 - The user doing the mount must have a valid TGT for a user
      principal at mount time.  As such, the mount cannot be put
      in fstab(5) or similar.
  2 - When the TGT expires, the mount breaks.
- The client machine has a service principal in its default keytab
  file and this service principal (typically called a host-based
  initiator credential) is used as the machine credential.
  There are problems with this approach as well:
  1 - There is a certain amount of administrative overhead creating
      the service principal for the NFS client, creating a keytab
      entry for this principal and then copying the keytab entry
      into the client's default keytab file via some secure means.
  2 - The NFS client must have a fixed, well known, DNS name, since
      that FQDN is in the service principal name as the instance.

This patch uses a feature of NFSv4.1/4.2 called SP4_NONE, which
allows the state maintenance operations to be performed by any
authentication mechanism, to do these operations via AUTH_SYS
instead of RPCSEC_GSS (Kerberos).  As such, neither of the above
mechanisms is needed.

It is hoped that this option will encourage adoption of Kerberized
NFS mounts using TLS, to provide a more secure NFS mount.

This new NFSv4.1/4.2 mount option, called "syskrb5" must be used
with "sec=krb5[ip]" to avoid the need for either of the above
Kerberos setups to be done by the client.

Note that all file access/modification operations still require
users on the NFS client to have a valid TGT recognized by the
NFSv4.1/4.2 server.  As such, this option allows, at most, a
malicious client to do some sort of DOS attack.

Although not required, use of "tls" with this new option is
encouraged, since it provides on-the-wire encryption plus,
optionally, client identity verification via a X.509
certificate provided to the server during TLS handshake.
Alternately, "sec=krb5p" does provide on-the-wire
encryption of file data.

A mount_nfs(8) man page update will be done in a separate commit.

Discussed on:	freebsd-current@
MFC after:	3 months
2023-03-16 15:55:36 -07:00
..
autofs vfs: add the concept of vnode state transitions 2022-12-26 17:35:12 +00:00
cd9660 Stop cleaning MNT_LOCAL on unmount 2023-01-14 20:28:11 +02:00
cuse cuse(3): Cosmetic change about testing boolean values. 2022-10-04 13:51:06 +02:00
deadfs vn_open(): If the vnode is reclaimed during open(2), do not return error. 2021-02-12 03:02:20 +02:00
devfs vfs: add the concept of vnode state transitions 2022-12-26 17:35:12 +00:00
ext2fs Fix block bitmap end position computation 2023-01-29 11:11:02 +03:00
fdescfs vfs: add the concept of vnode state transitions 2022-12-26 17:35:12 +00:00
fifofs fifofs: ansify 2023-02-07 23:18:51 +00:00
fuse fusefs: fix some resource leaks 2023-02-14 14:19:59 -07:00
mntfs vfs: add the concept of vnode state transitions 2022-12-26 17:35:12 +00:00
msdosfs msdosfs: fix debug print format and parameter 2023-03-08 17:58:00 +01:00
nfs nfscl: Add a new NFSv4.1/4.2 mount option for Kerberized mounts 2023-03-16 15:55:36 -07:00
nfsclient nfscl: Add a new NFSv4.1/4.2 mount option for Kerberized mounts 2023-03-16 15:55:36 -07:00
nfsserver nfscl: Add a new NFSv4.1/4.2 mount option for Kerberized mounts 2023-03-16 15:55:36 -07:00
nullfs nullfs: ansify 2023-02-07 23:22:27 +00:00
procfs vm_pager: Remove references to KVME_TYPE_DEFAULT in the kernel 2022-07-17 07:09:48 -04:00
pseudofs pseudofs: Fix LOR in VOP_READDIR. 2023-02-26 15:30:53 +00:00
smbfs smbfs: ansify 2023-02-07 23:35:11 +00:00
tarfs tarfs: Fix backtracking during node creation. 2023-03-16 11:31:22 +00:00
tmpfs tmpfs: support the nosymfollow mount option 2023-02-23 15:15:17 +02:00
udf udf: ansify 2023-02-07 23:24:24 +00:00
unionfs vfs: add the concept of vnode state transitions 2022-12-26 17:35:12 +00:00