d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update man page for new TLS export options.

Browse Source 
NFS over TLS uses three new export options, added by r364979.
This patch updates the exports.5 man page for these new options.
Once assigned by IETF, "NNNN" will be replaced with the RFC number.

This is a content change.

Reviewed by:	gbe
Differential Revision:	https://review.freebsd.org/D26241
This commit is contained in:
Rick Macklem 2020-11-20 22:14:51 +00:00
parent e75f0f2b48
commit 9acc400b6e
1 changed files with 58 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
usr.sbin/mountd/exports.5
View File

@ -28,7 +28,7 @@
.\" @(#)exports.5 8.3 (Berkeley) 3/29/95
.\" $FreeBSD$
.\"
.Dd February 11, 2019
.Dd November 20, 2020
.Dt EXPORTS 5
.Os
.Sh NAME
@ -117,9 +117,13 @@ exported to the host set.
The option flags specify whether the file system
is exported read-only or read-write and how the client UID is mapped to
user credentials on the server.
For the NFSv4 tree root, the only option that can be specified in this
section is
.Fl sec .
For the NFSv4 tree root, the only options that can be specified in this
section are ones related to security:
.Fl sec ,
.Fl tls ,
.Fl tlscert
and
.Fl tlscertuser .
.Pp
Export options are specified as follows:
.Pp
@ -241,6 +245,48 @@ or
.Fl webnfs
flags.
.Pp
The
.Fl tls ,
.Fl tlscert
and
.Fl tlscertuser
export options are used to require the client to use TLS for the mount(s)
per RFC NNNN.
For NFS mounts using TLS to work,
.Xr rpc.tlsservd 8
must be running on the server.
.Bd -filled -offset indent
.Fl tls
requires that the client use TLS.
.br
.Fl tlscert
requires that the client use TLS and provide a verifiable X.509 certificate
during TLS handshake.
.br
.Fl tlscertuser
requires that the client use TLS and provide a verifiable X.509 certificate.
The otherName component of the certificate's subjAltName must have a
an OID of 1.3.6.1.4.1.2238.1.1.1 and a UTF8 string of the form
.Dq user@domain .
.Dq user@domain
will be translated to the credentials of the specified user in the same
manner as
.Xr nfsuserd 8 ,
where
.Dq user
is normally a username is the server's password database and
.Dq domain
is the DNS domain name for the server.
All RPCs will be performed using these credentials instead of the
ones in the RPC header in a manner similar to
.Sm off
.Fl mapall Li = Sy user .
.Sm on
.Ed
.Pp
If none of these three flags are specified, TLS mounts are permitted but
not required.
.Pp
Specifying the
.Fl quiet
option will inhibit some of the syslog diagnostics for bad lines in
@ -541,7 +587,15 @@ afterwards, whereas NFSv3 rejects the mount request.
.Xr netgroup 5 ,
.Xr mountd 8 ,
.Xr nfsd 8 ,
.Xr rpc.tlsservd 8 ,
.Xr showmount 8
.Sh STANDARDS
The implementation is based on the specification in
.Rs
.%T "Network File System Protocol Specification, Appendix A, RFC 1094"
.%T "NFS: Network File System Version 3, Appendix I, RFC 1813"
.%T "Towards Remote Procedure Call Encryption By Default, RFC nnnn"
.Re
.Sh BUGS
The export options are tied to the local mount points in the kernel and
must be non-contradictory for any exported subdirectory of the local