Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 26 Mar 2020 14:59:23 +0000
From:      Rick Macklem <rmacklem@uoguelph.ca>
To:        John-Mark Gurney <jmg@funkthat.com>
Cc:        Alexander Leidinger <Alexander@leidinger.net>, "freebsd-current@FreeBSD.org" <freebsd-current@FreeBSD.org>
Subject:   Re: TLS certificates for NFS-over-TLS floating client
Message-ID:  <QB1PR01MB3649ADE4950B2A35CBD57BEBDDCF0@QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <QB1PR01MB3649F248F7D4C5B21630963FDDCF0@QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM>
References:  <QB1PR01MB36491D0C0306EEB894E37EADDDF00@QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM> <20200325231005.GQ4213@funkthat.com> <QB1PR01MB3649B224FC082726F085BA5DDDCE0@QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM>, <20200326004154.GT4213@funkthat.com>, <QB1PR01MB3649F248F7D4C5B21630963FDDCF0@QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM>
next in thread | previous in thread | raw e-mail | index | archive | help 
Sorry about the top post, but I thought of a few things to add to my
last post to this thread...
1 - I agree that for systems like laptops, the line between machine and
     user authentication is fuzzy.
2 - I do like your idea of having an exports(5) option that specifies a CN
      that identifies a user and then does all RPCs as that user.
      I'm not sure if an issuer needs to be specified (or even can be speci=
fied),
      since the CAfile argument to the rpctlssd daemon determines if a cert=
ificate
      from a particular CA will verify and the verification must happen bef=
ore the
      exports(5) export options can be applied. (Basically, certificate ver=
ification
      happens via a NULL RPC that does a STARTTLS when a TCP connection to
      the server is first established.)
3 - I'll post to nfsv4@ietf.org to see what others think of this, since it =
would not
      require any changes to the draft/RFC.
4 - Although it does require a revision to the export_args structure, I thi=
nk it is
     worth doing even if others don't implement it.

Again, thanks for your comments, rick

________________________________________
From: owner-freebsd-current@freebsd.org <owner-freebsd-current@freebsd.org>=
 on behalf of Rick Macklem <rmacklem@uoguelph.ca>
Sent: Thursday, March 26, 2020 10:33 AM
To: John-Mark Gurney
Cc: Alexander Leidinger; freebsd-current@FreeBSD.org
Subject: Re: TLS certificates for NFS-over-TLS floating client

John-Mark Gurney wrote:
[lots of stuff snipped]
>Rick Macklem wrote:
>> I had originally planned on some "secret" in the certificate (like a CN =
name
>> that satisfies some regular expression or ???) but others convinced me t=
hat
>> that wouldn't provide anything beyond knowing that the certificate was
>> signed by the appropriate CA, so I have not implemented anything.
>
>Yeah, having a "secret" in the CN doesn't make sense, but what does make
>sense is allowing the exports line to specify what the CN should contain
>to be authenticated...
>
>Say as a corp, you issue personal certificates to everyone.  This is
>because you require everyone to sign and/or encrypt their email w/
>S/MIME.  Each cert includes the email address of that person, so you
>could simply do something like:
>/home/alice -tlscert -tlsroot /etc/company.pem -email alice@example.com
>
>And anyone who has the certificate w/ alice@example.com that was signed
>by the public key in /etc/company.pem would be granted access to the
>export /home/alice.
>
>If it allowed ANY cert signed by the CA specified, then that introduces
>an authentication problem, as now if Malory is a coworker of Alice
>could also access Alice's home directory...
>
>IMO, this is one auth feature that MUST be supported...
The draft does not address user authentication, only machine authentication=
.
--> ie. The certificate is used to decide if a system can do a mount.
      Users are still identified via user credentials in the RPC message he=
ader.
      For AUTH_SYS, that still means <uid,gid,...>.
      Otherwise, you need to use Kerberos (sec=3Dkrb5[ip]).
      You could use "tls,sec=3Dkrb5" for a mount, but the only advantage th=
at
      might have over "sec=3Dkrb5p" is performance, if there is hardware as=
sist
      for TLS or something like that.

>Now that I reread your comments, it sounds like any certificate would be
>allowed in #2 as long as it is valid, and that would only be marginally
>better than verification by IP, and in some ways worse, in that now any
>user could pretend to be any other user, or you have to do something
>crazy like have a CA per user.
The case where I see #2 is useful is where this discussion started some wee=
ks ago.
The example I started with was:
/home -tls -network 192.168.1.0 -mask 255.255.255.0
/home -tlscert

This says that machines on the local lan can mount and do not need to have
certificates, but must use TLS so data is encrypted on the wire.
Mounts from anywhere else (presumably laptops) are allowed so long as they =
have a
certificate signed by me (as in the site local CA).
I trust these machines enough that I am willing to allow them to use AUTH_S=
YS,
which is what 99.9...% of NFS mounts do now.
(So, I'd agree that the site local certificate is not a lot better than IP =
address
 for client machine identity, just that it is an alternative that can be us=
eful.
 Without TLS, a line like "/home" allows anyone to mount /home from anywher=
e
 and I think you'd agree that few NFS admins. will want to do that. I'm ass=
uming
 no external firewall for this example.)

Now, your suggestion of identifying a user via the CN and then having the
server do all RPCs for the mount as that user is an interesting one.
My concern w.r.t. implementing it would be interoperability.
Put another way, if other servers such as Linux, Netapp,... don't adopt it
(and they won't until there is a draft/RFC specifying it), it would be
FreeBSD server specific and I'd like to avoid that.
There was some discussion w.r.t. user authentication via certificates
during development of the draft, but they decided to defer that work for
now, so they could get something in place for machine authentication first.
(If I understood the discussion on nfsv4@ietf.org.)

rick

>I'm wonder if your use of the term secret was the problem, and not the
>idea...  Anything that goes in the client cert is by definition public...
>TLS prior to 1.3 sends the client cert in clear text...  But keying
>based upon the contents of the cert is fine, as that's the point of
>what a cert is..  It's trusting the CA to say that the CN and other
>fields in the cert corresponds to this user, and you can use parts of
>the cert, like the CN to decide which user the public key in the cert
>corresponds to.

--
  John-Mark Gurney                              Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."
_______________________________________________
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?QB1PR01MB3649ADE4950B2A35CBD57BEBDDCF0>