From owner-svn-src-head@freebsd.org Fri Nov 20 22:14:52 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 460FB46F85B; Fri, 20 Nov 2020 22:14:52 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cd9p41YBwz4hMc; Fri, 20 Nov 2020 22:14:52 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 281CD1D430; Fri, 20 Nov 2020 22:14:52 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0AKMEq2F091007; Fri, 20 Nov 2020 22:14:52 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0AKMEqTx091006; Fri, 20 Nov 2020 22:14:52 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202011202214.0AKMEqTx091006@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Fri, 20 Nov 2020 22:14:52 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r367912 - head/usr.sbin/mountd X-SVN-Group: head X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: head/usr.sbin/mountd X-SVN-Commit-Revision: 367912 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2020 22:14:52 -0000 Author: rmacklem Date: Fri Nov 20 22:14:51 2020 New Revision: 367912 URL: https://svnweb.freebsd.org/changeset/base/367912 Log: Update man page for new TLS export options. NFS over TLS uses three new export options, added by r364979. This patch updates the exports.5 man page for these new options. Once assigned by IETF, "NNNN" will be replaced with the RFC number. This is a content change. Reviewed by: gbe Differential Revision: https://review.freebsd.org/D26241 Modified: head/usr.sbin/mountd/exports.5 Modified: head/usr.sbin/mountd/exports.5 ============================================================================== --- head/usr.sbin/mountd/exports.5 Fri Nov 20 20:22:01 2020 (r367911) +++ head/usr.sbin/mountd/exports.5 Fri Nov 20 22:14:51 2020 (r367912) @@ -28,7 +28,7 @@ .\" @(#)exports.5 8.3 (Berkeley) 3/29/95 .\" $FreeBSD$ .\" -.Dd February 11, 2019 +.Dd November 20, 2020 .Dt EXPORTS 5 .Os .Sh NAME @@ -117,9 +117,13 @@ exported to the host set. The option flags specify whether the file system is exported read-only or read-write and how the client UID is mapped to user credentials on the server. -For the NFSv4 tree root, the only option that can be specified in this -section is -.Fl sec . +For the NFSv4 tree root, the only options that can be specified in this +section are ones related to security: +.Fl sec , +.Fl tls , +.Fl tlscert +and +.Fl tlscertuser . .Pp Export options are specified as follows: .Pp @@ -241,6 +245,48 @@ or .Fl webnfs flags. .Pp +The +.Fl tls , +.Fl tlscert +and +.Fl tlscertuser +export options are used to require the client to use TLS for the mount(s) +per RFC NNNN. +For NFS mounts using TLS to work, +.Xr rpc.tlsservd 8 +must be running on the server. +.Bd -filled -offset indent +.Fl tls +requires that the client use TLS. +.br +.Fl tlscert +requires that the client use TLS and provide a verifiable X.509 certificate +during TLS handshake. +.br +.Fl tlscertuser +requires that the client use TLS and provide a verifiable X.509 certificate. +The otherName component of the certificate's subjAltName must have a +an OID of 1.3.6.1.4.1.2238.1.1.1 and a UTF8 string of the form +.Dq user@domain . +.Dq user@domain +will be translated to the credentials of the specified user in the same +manner as +.Xr nfsuserd 8 , +where +.Dq user +is normally a username is the server's password database and +.Dq domain +is the DNS domain name for the server. +All RPCs will be performed using these credentials instead of the +ones in the RPC header in a manner similar to +.Sm off +.Fl mapall Li = Sy user . +.Sm on +.Ed +.Pp +If none of these three flags are specified, TLS mounts are permitted but +not required. +.Pp Specifying the .Fl quiet option will inhibit some of the syslog diagnostics for bad lines in @@ -541,7 +587,15 @@ afterwards, whereas NFSv3 rejects the mount request. .Xr netgroup 5 , .Xr mountd 8 , .Xr nfsd 8 , +.Xr rpc.tlsservd 8 , .Xr showmount 8 +.Sh STANDARDS +The implementation is based on the specification in +.Rs +.%T "Network File System Protocol Specification, Appendix A, RFC 1094" +.%T "NFS: Network File System Version 3, Appendix I, RFC 1813" +.%T "Towards Remote Procedure Call Encryption By Default, RFC nnnn" +.Re .Sh BUGS The export options are tied to the local mount points in the kernel and must be non-contradictory for any exported subdirectory of the local