Date: Tue, 14 Mar 2023 19:21:20 -0700 From: Rick Macklem <rick.macklem@gmail.com> To: Pete Wright <pete@nomadlogic.org> Cc: FreeBSD CURRENT <freebsd-current@freebsd.org> Subject: Re: RFC: A new NFS mount option to encourage use of Kerberized mounts Message-ID: <CAM5tNy62BzV=0WpdRy1aEV6Bzi3x9Gev0_L1SYR_gAAJ0kqNOg@mail.gmail.com> In-Reply-To: <20230314185346.nlfz3ba7ih3qpo6h@topanga.nomadlogic.org> References: <CAM5tNy6xKn2BNdz3yBWDn%2Bm4EpJrbdfwxTAThjLvfFCsSC018A@mail.gmail.com> <20230314185346.nlfz3ba7ih3qpo6h@topanga.nomadlogic.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 14, 2023 at 11:53=E2=80=AFAM Pete Wright <pete@nomadlogic.org> =
wrote:
>
> On Mon, Mar 13, 2023 at 07:25:07PM -0700, Rick Macklem wrote:
> > Hi,
> >
> > I have implemented a new mount option for NFSv4.1/4.2 mounts
> > that I hope will encourage use of Kerberos and TLS to help
> > secure NFS mounts. Although I do not know why users choose
> > to not use Kerberized NFS mounts, I think that the administrative
> > issues related to the "machine credential" is a factor.
> > This new option, which I have called "syskrb5" (feel free to
> > suggest a better name), avoids the need for a Kerberos machine
> > credential.
> >
> <snip>
> >
> > So, does this sound like something that should be committed
> > to FreeBSD?
> >
>
> speaking as an enduser..
>
> this sounds pretty fantastic, i have several workloads in public
> cloud that use NFS, and having this added layer of auth would be
> really beneficial from a security perspective. i also like how
> it should be much easier for me to manage as well.
>
> one question - do you see other NFS implementations getting ready
> to roll out this support on their end? i ask because it would be
> nice to have this client support working and well tested by the time
> other vendors start offering this support server side. for example
> AWS EFS.
Well, there are three components:
1 - SP4_NONE, which is what the FreeBSD NFSv4.1/4.2 client
always uses, so as far as I know, all the servers support it.
(I have only been able to test against the FreeBSD and Linux
knfsd at this point, so there may be surprises with other servers.)
2 - Kerberized NFSv4. It is required by the RFCs and is supported by
at least most servers. I do not know if AWS EFS supports Kerberos?
3 - NFS-over-TLS (the RFC authors prefer RPC-with-TLS). At this time,
only the FreeBSD server and a userland server called DesyFS
(and maybe Ganesha) have support. There are experimental patches
for the Linux knfsd, but I do not know how close they are to being
in a mainstream kernel.
Other server verdors should be working on this, but I have no idea
what their current status is.
#3 is not needed for this mount case, but it will be nice to have.
(And the above may not be accurate. It is just what I have observed.)
Thanks for your comments, rick
>
> thanks!
> -pete
>
> --
> Pete Wright
> pete@nomadlogic.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy62BzV=0WpdRy1aEV6Bzi3x9Gev0_L1SYR_gAAJ0kqNOg>