Re: RFC: A new NFS mount option to encourage use of Kerberized mounts

In reply to: Pete Wright : "Re: RFC: A new NFS mount option to encourage use of Kerberized mounts"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Rick Macklem <rick.macklem_at_gmail.com>
Date: Wed, 15 Mar 2023 02:21:20 UTC

On Tue, Mar 14, 2023 at 11:53 AM Pete Wright <pete@nomadlogic.org> wrote:
>
> On Mon, Mar 13, 2023 at 07:25:07PM -0700, Rick Macklem wrote:
> > Hi,
> >
> > I have implemented a new mount option for NFSv4.1/4.2 mounts
> > that I hope will encourage use of Kerberos and TLS to help
> > secure NFS mounts.  Although I do not know why users choose
> > to not use Kerberized NFS mounts, I think that the administrative
> > issues related to the "machine credential" is a factor.
> > This new option, which I have called "syskrb5" (feel free to
> > suggest a better name), avoids the need for a Kerberos machine
> > credential.
> >
> <snip>
> >
> > So, does this sound like something that should be committed
> > to FreeBSD?
> >
>
> speaking as an enduser..
>
> this sounds pretty fantastic, i have several workloads in public
> cloud that use NFS, and having this added layer of auth would be
> really beneficial from a security perspective.  i also like how
> it should be much easier for me to manage as well.
>
> one question - do you see other NFS implementations getting ready
> to roll out this support on their end?  i ask because it would be
> nice to have this client support working and well tested by the time
> other vendors start offering this support server side.  for example
> AWS EFS.
Well, there are three components:
1 - SP4_NONE, which is what the FreeBSD NFSv4.1/4.2 client
     always uses, so as far as I know, all the servers support it.
     (I have only been able to test against the FreeBSD and Linux
      knfsd at this point, so there may be surprises with other servers.)
2 - Kerberized NFSv4. It is required by the RFCs and is supported by
     at least most servers. I do not know if AWS EFS supports Kerberos?
3 - NFS-over-TLS (the RFC authors prefer RPC-with-TLS).  At this time,
     only the FreeBSD server and a userland server called DesyFS
     (and maybe Ganesha) have support. There are experimental patches
      for the Linux knfsd, but I do not know how close they are to being
      in a mainstream kernel.
      Other server verdors should be working on this, but I have no idea
      what their current status is.
#3 is not needed for this mount case, but it will be nice to have.
(And the above may not be accurate. It is just what I have observed.)

Thanks for your comments, rick

>
> thanks!
> -pete
>
> --
> Pete Wright
> pete@nomadlogic.org