From owner-svn-src-projects@freebsd.org Fri Apr 3 22:15:49 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B2F9F274587 for ; Fri, 3 Apr 2020 22:15:49 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48vDlj0ZQnz4S89; Fri, 3 Apr 2020 22:15:44 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 55679CC05; Fri, 3 Apr 2020 22:06:56 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 033M6upO099395; Fri, 3 Apr 2020 22:06:56 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 033M6uA5099394; Fri, 3 Apr 2020 22:06:56 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202004032206.033M6uA5099394@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Fri, 3 Apr 2020 22:06:56 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r359617 - projects/nfs-over-tls/usr.sbin/rpctlssd X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls/usr.sbin/rpctlssd X-SVN-Commit-Revision: 359617 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Apr 2020 22:15:49 -0000 Author: rmacklem Date: Fri Apr 3 22:06:55 2020 New Revision: 359617 URL: https://svnweb.freebsd.org/changeset/base/359617 Log: Bring the man page for rpctlssd up to date. Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8 Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8 ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8 Fri Apr 3 22:03:21 2020 (r359616) +++ projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8 Fri Apr 3 22:06:55 2020 (r359617) @@ -39,9 +39,13 @@ .Op Fl h .Op Fl l Ar CAfile .Op Fl m +.Op Fl n Ar domain_name .Op Fl p Ar CApath .Op Fl r Ar CRLfile +.Op Fl u .Op Fl v +.Op Fl W +.Op Fl w .Sh DESCRIPTION The .Nm @@ -50,22 +54,43 @@ implementation. This daemon must be running to allow the kernel RPC to perform the TLS handshake after a TCP client has sent the STARTTLS Null RPC request to the server. -This is needed to support clients doing NFS over TLS. +This daemon requires that the kernel be built with +.Dq options KERNEL_TLS +and be running on an architecture such as +.Dq amd64 +that supports a direct map (not i386). Note that the .Fl tls option in the .Xr exports 5 -file specifies that the client must use RPC over TLS and the +file specifies that the client must use RPC over TLS. +The .Fl tlscert option in the .Xr exports 5 file specifies that the client must provide a certificate that verifies. -For this latter case, the +The +.Fl tlscertuser +option in the +.Xr exports 5 +file specifies that the client must provide a certificate +that verifies and has a otherName:1.2.3.4.6.9;UTF8: field of +subjectAltName of the form +.Dq user@dns_domain +that maps to a . +For the latter two cases, the .Fl m -and +and either the .Fl l +or +.Fl p options must be specified. +The +.Fl tlscertuser +option also requires that the +.Fl u +option on this daemon be specified. .Pp Also, if the IP address used by the client cannot be trusted, the rules in @@ -75,22 +100,46 @@ As such, the .Fl h option can be used along with .Fl m -and +and either the .Fl l +or +.Fl p options to require that the client certificate have the correct -Fully Qualified Domain Name in it. +Fully Qualified Domain Name (FQDN) in it. .Pp A certificate and associated key must exist in /etc/rpctlssd -(or the ``certdir'' specified by the +(or the +.Dq certdir +specified by the .Fl D option) -in files named ``cert.pem'' and ``key.pem''. +in files named +.Dq cert.pem +and +.Dq key.pem . .Pp +If a SIGHUP signal is sent to the daemon it will reload the +.Dq CRLfile . +If the +.Fl r +option was not specified, the SIGHUP signal will be ignored. +.Pp +The daemon will log failed certificate verifications via +.Xr syslogd 8 +using LOG_INFO | LOG_DAEMON when the +.Fl m +option has been specified. +.Pp The options are as follows: .Bl -tag -width indent .It Fl D Ar certdir -Use ``certdir'' instead of /etc/rpctlssd as the location for the -certificate in a file called ``cert.pem'' and key in ``key.pem''. +Use +.Dq certdir +instead of /etc/rpctlssd as the location for the +certificate in a file called +.Dq cert.pem +and key in +.Dq key.pem . .It Fl d Run in debug mode. In this mode, @@ -98,17 +147,23 @@ In this mode, will not fork when it starts. .It Fl h This option specifies that the client must provide a certificate -that both verifies and has the Fully Qualified Domain Name (FQDN) for -the IP address that the client uses to connect to the server -in either the subjectAltName or commonName field of the -certificate. +that both verifies and has a FQDN that matches the reverse +DNS name for the IP address that +the client uses to connect to the server. +The FQDN should be +in the DNS field of the subjectAltName, but is also allowed +to be in the CN field of the +subjectName in the certificate. +By default, a wildcard "*" in the FQDN is not allowed. With this option, a failure to verify the client certificate -or find the FQDN in the certificate will result in the +or match the FQDN will result in the server sending AUTH_REJECTEDCRED replies to all client RPCs. This option requires the .Fl m -and +and either the .Fl l +or +.Fl p options. .It Fl l Ar CAfile This option specifies the path name of a CA certificate(s) file @@ -119,10 +174,13 @@ This path name is used in .Dq SSL_CTX_load_verify_locations(ctx,CAfile,NULL) and .Dq SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile)) -openssl calls. +openssl library calls. Note that this is a path name for the file and is not assumed to be -in ``certdir''. -This option should be specified when the +in +.Dq certdir . +Either this option or the +.Fl p +option must be specified when the .Fl m option is specified so that the daemon can verify the client's certificate. @@ -132,10 +190,28 @@ from the client during the TLS handshake. It does not require that the client provide a certificate. It should be specified unless no client doing RPC over TLS is required to have a certificate. -For NFS, the export option +For NFS, either the export option .Fl tlscert -will be used to require a client to provide a certificate +or +.Fl tlscertuser +may be used to require a client to provide a certificate that verifies. +See +.Xr exports 5 . +.It Fl n Ar domain_name +This option specifies what the +.Dq domain_name +is for use with the +.Fl u +option, overriding the domain_name of the server this daemon is running on. +If you have specified the +.Fl domain +command line option for +.Xr nfsuserd 8 +then you should specify this option with the same +.Dq domain_name +that was specified for +.Xr nfsuserd 8 . .It Fl p Ar CApath This option is similar to the .Fl l @@ -158,23 +234,90 @@ This option is meaningless unless either the or .Fl p have been specified. +.It Fl u +This option specifies that if the client provides a certificate +that both verifies and has a subjectAltName with an otherName of the form +.Dq otherName:1.2.3.4.6.9;UTF8:user@dns_domain +the daemon will attempt to map +.Dq user@dns_domain +in the above +to a . +The mapping of +.Dq user@dns_domain +is done in the same manner as the +.Xr nfsuserd 8 +daemon, where +.Dq dns_domain +is the domain of the NFS server (or the one set via the +.Fl n +option) and +.Dq user +is a valid username in the password database. +If this mapping is successful, then the for +.Dq user +will be used for all +RPCs on the mount instead of the credentials in the RPC request +header. +This option requires the +.Fl m +and either the +.Fl l +or +.Fl p +options. +Use of this option does not conform to RFC-X, which does +not allow certificates to be used for user authentication. .It Fl v Run in verbose mode. In this mode, .Nm -will log activity messages to syslog using LOG_INFO | LOG_DAEMON or to +will log activity messages to +.Xr syslogd 8 +using LOG_INFO | LOG_DAEMON or to stderr, if the .Fl d option has also been specified. +.It Fl W +This option is used with the +.Fl h +option to allow use of a wildcard +.Dq * +that matches multiple +components of the reverse DNS name for the client's IP +address. +For example, the FQDN +.Dq *.uoguelph.ca +would match both +.Dq laptop21.uoguelph.ca +and +.Dq laptop3.cis.uoguelph.ca . +.It Fl w +Similar to +.Fl W +but allows the wildcard +.Dq * +to match a single component of the reverse DNS name. +For example, the FQDN +.Dq *.uoguelph.ca +would match +.Dq laptop21.uoguelph.ca +but not +.Dq laptop3.cis.uoguelph.ca . +Only one of the +.Fl W +and +.Fl w +options is allowed. .El .Sh EXIT STATUS .Ex -std .Sh SEE ALSO .Xr openssl 1 , -.Xr syslog 3 , .Xr exports 5 , .Xr mount_nfs 8 , -.Xr rpctlscd 8 +.Xr nfsuserd 8 , +.Xr rpctlscd 8 , +.Xr syslogd 8 .Sh BUGS This daemon cannot be safely shut down and restarted if there are any active RPC-over-TLS connections.