From nobody Tue Mar 14 18:53:46 2023
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PbjNk4hfcz3ybmJ
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Tue, 14 Mar 2023 18:53:58 +0000 (UTC)
	(envelope-from pete@nomadlogic.org)
Received: from mail.nomadlogic.org (mail.nomadlogic.org [66.165.241.226])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mail.nomadlogic.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PbjNj3Yqxz3L6r
	for <freebsd-current@freebsd.org>; Tue, 14 Mar 2023 18:53:57 +0000 (UTC)
	(envelope-from pete@nomadlogic.org)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=nomadlogic.org header.s=04242021 header.b=WeGopXLM;
	spf=pass (mx1.freebsd.org: domain of pete@nomadlogic.org designates 66.165.241.226 as permitted sender) smtp.mailfrom=pete@nomadlogic.org;
	dmarc=pass (policy=quarantine) header.from=nomadlogic.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nomadlogic.org;
	s=04242021; t=1678820029;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=0xymHP0ohjTOUgZcyFGYPAh4tgDBzTUt+Kvt09Yvymc=;
	b=WeGopXLMmM3OhG1KtFTT7ruRiaFdxJcQvqwYNasSh4+9vqvdJmDeMA3PCbWuvJaHATyGHg
	WArxwh1mNLopeGPDhT4Z691t7Zm1J4KIXVv1r66+6y12RuxRDZNnnOiQ4WHNVHZ3qCk4mr
	o51yk5YPXc8YiuIrjjpLoTtDcrva4B4=
Received: from topanga.nomadlogic.org (cpe-24-24-168-214.socal.res.rr.com [24.24.168.214])
	by mail.nomadlogic.org (OpenSMTPD) with ESMTPSA id 4278fd75 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO);
	Tue, 14 Mar 2023 18:53:48 +0000 (UTC)
Date: Tue, 14 Mar 2023 11:53:46 -0700
From: Pete Wright <pete@nomadlogic.org>
To: Rick Macklem <rick.macklem@gmail.com>
Cc: FreeBSD CURRENT <freebsd-current@freebsd.org>
Subject: Re: RFC: A new NFS mount option to encourage use of Kerberized mounts
Message-ID: <20230314185346.nlfz3ba7ih3qpo6h@topanga.nomadlogic.org>
References: <CAM5tNy6xKn2BNdz3yBWDn+m4EpJrbdfwxTAThjLvfFCsSC018A@mail.gmail.com>
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAM5tNy6xKn2BNdz3yBWDn+m4EpJrbdfwxTAThjLvfFCsSC018A@mail.gmail.com>
X-Spamd-Result: default: False [-4.00 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	DMARC_POLICY_ALLOW(-0.50)[nomadlogic.org,quarantine];
	R_SPF_ALLOW(-0.20)[+mx];
	R_DKIM_ALLOW(-0.20)[nomadlogic.org:s=04242021];
	MIME_GOOD(-0.10)[text/plain];
	MLMMJ_DEST(0.00)[freebsd-current@freebsd.org];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	FREEMAIL_TO(0.00)[gmail.com];
	MIME_TRACE(0.00)[0:+];
	ASN(0.00)[asn:29802, ipnet:66.165.240.0/22, country:US];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	DKIM_TRACE(0.00)[nomadlogic.org:+];
	RCVD_COUNT_TWO(0.00)[2];
	FROM_HAS_DN(0.00)[];
	ARC_NA(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	TAGGED_RCPT(0.00)[];
	TO_DN_ALL(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	RCVD_TLS_ALL(0.00)[]
X-Rspamd-Queue-Id: 4PbjNj3Yqxz3L6r
X-Spamd-Bar: ---
X-ThisMailContainsUnwantedMimeParts: N

On Mon, Mar 13, 2023 at 07:25:07PM -0700, Rick Macklem wrote:
> Hi,
> 
> I have implemented a new mount option for NFSv4.1/4.2 mounts
> that I hope will encourage use of Kerberos and TLS to help
> secure NFS mounts.  Although I do not know why users choose
> to not use Kerberized NFS mounts, I think that the administrative
> issues related to the "machine credential" is a factor.
> This new option, which I have called "syskrb5" (feel free to
> suggest a better name), avoids the need for a Kerberos machine
> credential.
> 
<snip>
> 
> So, does this sound like something that should be committed
> to FreeBSD?
>

speaking as an enduser..

this sounds pretty fantastic, i have several workloads in public
cloud that use NFS, and having this added layer of auth would be
really beneficial from a security perspective.  i also like how
it should be much easier for me to manage as well.

one question - do you see other NFS implementations getting ready
to roll out this support on their end?  i ask because it would be
nice to have this client support working and well tested by the time
other vendors start offering this support server side.  for example
AWS EFS.

thanks!
-pete

-- 
Pete Wright
pete@nomadlogic.org