FreeBSD src
Go to file
Rick Macklem 896516e54a nfscl: Add a new NFSv4.1/4.2 mount option for Kerberized mounts
Without this patch, a Kerberized NFSv4.1/4.2 mount must provide
a Kerberos credential for the client at mount time.  This credential
is typically referred to as a "machine credential".  It can be
created one of two ways:
- The user (usually root) has a valid TGT at the time the mount
  is done and this becomes the machine credential.
  There are two problems with this.
  1 - The user doing the mount must have a valid TGT for a user
      principal at mount time.  As such, the mount cannot be put
      in fstab(5) or similar.
  2 - When the TGT expires, the mount breaks.
- The client machine has a service principal in its default keytab
  file and this service principal (typically called a host-based
  initiator credential) is used as the machine credential.
  There are problems with this approach as well:
  1 - There is a certain amount of administrative overhead creating
      the service principal for the NFS client, creating a keytab
      entry for this principal and then copying the keytab entry
      into the client's default keytab file via some secure means.
  2 - The NFS client must have a fixed, well known, DNS name, since
      that FQDN is in the service principal name as the instance.

This patch uses a feature of NFSv4.1/4.2 called SP4_NONE, which
allows the state maintenance operations to be performed by any
authentication mechanism, to do these operations via AUTH_SYS
instead of RPCSEC_GSS (Kerberos).  As such, neither of the above
mechanisms is needed.

It is hoped that this option will encourage adoption of Kerberized
NFS mounts using TLS, to provide a more secure NFS mount.

This new NFSv4.1/4.2 mount option, called "syskrb5" must be used
with "sec=krb5[ip]" to avoid the need for either of the above
Kerberos setups to be done by the client.

Note that all file access/modification operations still require
users on the NFS client to have a valid TGT recognized by the
NFSv4.1/4.2 server.  As such, this option allows, at most, a
malicious client to do some sort of DOS attack.

Although not required, use of "tls" with this new option is
encouraged, since it provides on-the-wire encryption plus,
optionally, client identity verification via a X.509
certificate provided to the server during TLS handshake.
Alternately, "sec=krb5p" does provide on-the-wire
encryption of file data.

A mount_nfs(8) man page update will be done in a separate commit.

Discussed on:	freebsd-current@
MFC after:	3 months
2023-03-16 15:55:36 -07:00
.cirrus-ci Cirrus-CI: add some timing info on pkg install failure 2021-08-04 15:02:00 -04:00
.github Vendor import of OpenSSH 9.3p1 2023-03-16 08:41:22 -04:00
bin uuidgen(1): fix another typo 2023-03-06 09:03:52 +01:00
cddl ctf: Remove unused function prototype for getpname() 2023-02-26 12:18:25 +08:00
contrib Vendor import of OpenSSH 9.3p1 2023-03-16 08:41:22 -04:00
crypto ssh: Update to OpenSSH 9.3p1 2023-03-16 10:29:55 -04:00
etc Reserve u2f group for FIDO/U2F key support (SSH, etc.) 2023-03-14 13:09:40 -04:00
gnu gnu diff3: apply patch to committed src, rather than at build time 2022-11-13 21:33:40 -05:00
include secure_getenv: Put under __BSD_VISIBLE 2023-03-14 17:43:13 -06:00
kerberos5 kerberos5: retire now-unused MIPS support 2022-11-02 13:16:18 -04:00
lib libipsec: ansify 2023-03-16 19:19:35 +00:00
libexec rc: ignore .pkgsave files 2023-03-14 20:52:15 -06:00
release ARM release build: enable IPv6 SLAAC by default 2023-02-12 22:32:16 +01:00
rescue rescue: Fix link order of SSL libraries and fetch. 2023-02-02 09:23:02 -08:00
sbin ping: Remove ifndef icmp_data guards 2023-03-14 11:58:03 -04:00
secure ssh: Update to OpenSSH 9.3p1 2023-03-16 10:29:55 -04:00
share Add new DISK_IMAGE_TOOLS_BOOTSTRAP option 2023-03-15 00:06:53 +00:00
stand loader: Add support for booting from a ZFS snapshot 2023-03-14 14:18:29 +00:00
sys nfscl: Add a new NFSv4.1/4.2 mount option for Kerberized mounts 2023-03-16 15:55:36 -07:00
targets retire sconfig(8) ce(4)/cp(4) configuration tool 2022-12-13 15:25:13 -05:00
tests tun tests: Fix cleanup definitions 2023-03-16 13:27:24 -04:00
tools stress2: New problem found was added 2023-03-16 13:59:16 +01:00
usr.bin less: silence K&R warns 2023-03-16 18:24:12 +00:00
usr.sbin sendmail: silence K&R warns 2023-03-16 18:18:48 +00:00
.arcconfig arcanist: use FreeBSD/git project repository instead of FreeBSD/svn 2022-08-23 14:16:41 +00:00
.arclint arc lint: ignore /tests/ in chmod 2017-12-19 03:38:06 +00:00
.cirrus.yml CI: Run pkgbase METALOG lint script 2023-03-14 21:13:46 -04:00
.clang-format clang-format: Add bitset loop macros 2021-09-21 12:08:01 -04:00
.git-blame-ignore-revs Add git-blame ignore file 2023-01-23 15:27:25 -05:00
.gitattributes Add a basic clang-format configuration file 2019-06-07 15:23:52 +00:00
.gitignore .gitignore: Ignore LSP generated .cache 2023-03-07 10:04:18 -05:00
CONTRIBUTING.md CONTRIBUTING.md: correct developer certificate of origin link markup 2023-02-27 21:36:29 -05:00
COPYRIGHT Happy New Year 2023! 2023-01-01 13:44:43 +08:00
LOCKS LOCKS: update current locks 2018-06-09 03:08:04 +00:00
MAINTAINERS MAINTAINERS+GitHub: Reflect ipfilter was moved from contrib to netpfil 2023-02-28 10:33:03 -08:00
Makefile universe: Switch GCC toolchains to GCC 12. 2023-01-27 13:35:13 -08:00
Makefile.inc1 Add new DISK_IMAGE_TOOLS_BOOTSTRAP option 2023-03-15 00:06:53 +00:00
Makefile.libcompat libcompat: avoid installing include files twice 2022-11-16 19:15:20 -05:00
Makefile.sys.inc AUTO_OBJ: For all top-level targets enforce using an OBJDIR. 2017-12-05 21:29:47 +00:00
ObsoleteFiles.inc ng_atmllc: remove 2023-03-09 18:04:21 +00:00
README.md Vendor import of OpenSSH 9.3p1 2023-03-16 08:41:22 -04:00
RELNOTES RELNOTES: Add an entry for NFS server support in vnet prisons 2023-03-12 14:55:46 -07:00
UPDATING UPDATING 2023-02-24 23:20:52 -07:00

FreeBSD Source:

This is the top level of the FreeBSD source directory.

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms. A large community has continually developed it for more than thirty years. Its advanced networking, security, and storage features have made FreeBSD the platform of choice for many of the busiest web sites and most pervasive embedded networking and storage devices.

For copyright information, please see the file COPYRIGHT in this directory. Additional copyright information also exists for some sources in this tree - please see the specific source directories for more information.

The Makefile in this directory supports a number of targets for building components (or all) of the FreeBSD source tree. See build(7), config(8), FreeBSD handbook on building userland, and Handbook for kernels for more information, including setting make(1) variables.

For information on the CPU architectures and platforms supported by FreeBSD, see the FreeBSD website's Platforms page.

Source Roadmap:

Directory Description
bin System/user commands.
cddl Various commands and libraries under the Common Development and Distribution License.
contrib Packages contributed by 3rd parties.
crypto Cryptography stuff (see crypto/README).
etc Template files for /etc.
gnu Commands and libraries under the GNU General Public License (GPL) or Lesser General Public License (LGPL). Please see gnu/COPYING and gnu/COPYING.LIB for more information.
include System include files.
kerberos5 Kerberos5 (Heimdal) package.
lib System libraries.
libexec System daemons.
release Release building Makefile & associated tools.
rescue Build system for statically linked /rescue utilities.
sbin System commands.
secure Cryptographic libraries and commands.
share Shared resources.
stand Boot loader sources.
sys Kernel sources (see sys/README.md).
targets Support for experimental DIRDEPS_BUILD
tests Regression tests which can be run by Kyua. See tests/README for additional information.
tools Utilities for regression testing and miscellaneous tasks.
usr.bin User commands.
usr.sbin System administration commands.

For information on synchronizing your source tree with one or more of the FreeBSD Project's development branches, please see FreeBSD Handbook.