Date: Fri, 20 Nov 2020 22:14:52 +0000 (UTC) From: Rick Macklem <rmacklem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r367912 - head/usr.sbin/mountd Message-ID: <202011202214.0AKMEqTx091006@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rmacklem Date: Fri Nov 20 22:14:51 2020 New Revision: 367912 URL: https://svnweb.freebsd.org/changeset/base/367912 Log: Update man page for new TLS export options. NFS over TLS uses three new export options, added by r364979. This patch updates the exports.5 man page for these new options. Once assigned by IETF, "NNNN" will be replaced with the RFC number. This is a content change. Reviewed by: gbe Differential Revision: https://review.freebsd.org/D26241 Modified: head/usr.sbin/mountd/exports.5 Modified: head/usr.sbin/mountd/exports.5 ============================================================================== --- head/usr.sbin/mountd/exports.5 Fri Nov 20 20:22:01 2020 (r367911) +++ head/usr.sbin/mountd/exports.5 Fri Nov 20 22:14:51 2020 (r367912) @@ -28,7 +28,7 @@ .\" @(#)exports.5 8.3 (Berkeley) 3/29/95 .\" $FreeBSD$ .\" -.Dd February 11, 2019 +.Dd November 20, 2020 .Dt EXPORTS 5 .Os .Sh NAME @@ -117,9 +117,13 @@ exported to the host set. The option flags specify whether the file system is exported read-only or read-write and how the client UID is mapped to user credentials on the server. -For the NFSv4 tree root, the only option that can be specified in this -section is -.Fl sec . +For the NFSv4 tree root, the only options that can be specified in this +section are ones related to security: +.Fl sec , +.Fl tls , +.Fl tlscert +and +.Fl tlscertuser . .Pp Export options are specified as follows: .Pp @@ -241,6 +245,48 @@ or .Fl webnfs flags. .Pp +The +.Fl tls , +.Fl tlscert +and +.Fl tlscertuser +export options are used to require the client to use TLS for the mount(s) +per RFC NNNN. +For NFS mounts using TLS to work, +.Xr rpc.tlsservd 8 +must be running on the server. +.Bd -filled -offset indent +.Fl tls +requires that the client use TLS. +.br +.Fl tlscert +requires that the client use TLS and provide a verifiable X.509 certificate +during TLS handshake. +.br +.Fl tlscertuser +requires that the client use TLS and provide a verifiable X.509 certificate. +The otherName component of the certificate's subjAltName must have a +an OID of 1.3.6.1.4.1.2238.1.1.1 and a UTF8 string of the form +.Dq user@domain . +.Dq user@domain +will be translated to the credentials of the specified user in the same +manner as +.Xr nfsuserd 8 , +where +.Dq user +is normally a username is the server's password database and +.Dq domain +is the DNS domain name for the server. +All RPCs will be performed using these credentials instead of the +ones in the RPC header in a manner similar to +.Sm off +.Fl mapall Li = Sy user . +.Sm on +.Ed +.Pp +If none of these three flags are specified, TLS mounts are permitted but +not required. +.Pp Specifying the .Fl quiet option will inhibit some of the syslog diagnostics for bad lines in @@ -541,7 +587,15 @@ afterwards, whereas NFSv3 rejects the mount request. .Xr netgroup 5 , .Xr mountd 8 , .Xr nfsd 8 , +.Xr rpc.tlsservd 8 , .Xr showmount 8 +.Sh STANDARDS +The implementation is based on the specification in +.Rs +.%T "Network File System Protocol Specification, Appendix A, RFC 1094" +.%T "NFS: Network File System Version 3, Appendix I, RFC 1813" +.%T "Towards Remote Procedure Call Encryption By Default, RFC nnnn" +.Re .Sh BUGS The export options are tied to the local mount points in the kernel and must be non-contradictory for any exported subdirectory of the local
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202011202214.0AKMEqTx091006>