From nobody Wed Mar 15 02:21:20 2023 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PbvKC5X6qz3xqYQ for ; Wed, 15 Mar 2023 02:21:35 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PbvKC56tsz4MyK for ; Wed, 15 Mar 2023 02:21:35 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-pf1-x431.google.com with SMTP id o67so4235716pfg.10 for ; Tue, 14 Mar 2023 19:21:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678846894; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=eVvIteDAqh/rv4zTFWuqzIjRBKS0jDG5sNd/Ogh4y9k=; b=Y8r3SPIPX8KDt/4X5bnEtUU0Yydd4iVlsn0EOMBrDVE0+BPrUsc0x6lzevQyrU5SD1 goXNQYAImd7Fv2pDxCdzH434+xP94zv1dLZm1EFQfwNlqefBYHtaTPcYQLWk+xZM2lvF a0t7T9m2Hrfkddj9zqbMUIgNV9FvIYxkr3N2KCcudi396QEXL+c+o0RMYHSlFqx3FvxS eBls6ZplxUGXx8V0bORjnjCwtpDzqYBbayqpvdeqARaeKWox4agShO59U5QDivjljiEk aiv/INk8m9yRuu7gcef7MEjsl11DxdsWpPsOnrwxdNJSTnB39d+45dfBS1e6uMd2wWCZ XYNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678846894; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eVvIteDAqh/rv4zTFWuqzIjRBKS0jDG5sNd/Ogh4y9k=; b=myAubXRZjv8p84i9X7Wvh1znVGEbmJA7TVJ5TRD++0GXTwmEyljz2MT5vWaYNS3O+n xMGRGL5XbqMWwvvpr1Bt6GaXilJl7R1jJZxB4CRl3YbbLdhrIQHuRwji2h4rWvZQtQJc cc282aJtnvMDF0ki2wL/wk9U9wtQmm/VHDQW4cCTKusJuTsXEK0XJZOXwfJyRDP3lZmk BjuaXuDqar8N+X2hrKl1DByFWKP0gVe4524Jya8u9tw43YK/1N7ndJ+nRSmIj2RzknCR fBiRoX6JPIzGNLJmw5Es+ZDgufxLFcrl0j06IaIe8zhs2IUhd1El1YBL0H7KcdiPogJ/ axoQ== X-Gm-Message-State: AO0yUKXGgfpvbUZwfmHIak0hfOWdP8tPcPQY1p8Q9GvqqvWR5QY75Y4f tCSkrOBpTaaV6fp52//MNwGFc1oRUdEaZfQqHU5byeF5XA== X-Google-Smtp-Source: AK7set/XTU2GMTLjoKIpJpbr2nVzqhVit5zq0xTH27iYkv9cU2+H7xb064YsWRYSIelJwdhs7c6ZDCfdzVwpZZS1yVc= X-Received: by 2002:a65:6111:0:b0:509:4ac5:7f3a with SMTP id z17-20020a656111000000b005094ac57f3amr3973924pgu.0.1678846894576; Tue, 14 Mar 2023 19:21:34 -0700 (PDT) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 References: <20230314185346.nlfz3ba7ih3qpo6h@topanga.nomadlogic.org> In-Reply-To: <20230314185346.nlfz3ba7ih3qpo6h@topanga.nomadlogic.org> From: Rick Macklem Date: Tue, 14 Mar 2023 19:21:20 -0700 Message-ID: Subject: Re: RFC: A new NFS mount option to encourage use of Kerberized mounts To: Pete Wright Cc: FreeBSD CURRENT Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4PbvKC56tsz4MyK X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N On Tue, Mar 14, 2023 at 11:53=E2=80=AFAM Pete Wright = wrote: > > On Mon, Mar 13, 2023 at 07:25:07PM -0700, Rick Macklem wrote: > > Hi, > > > > I have implemented a new mount option for NFSv4.1/4.2 mounts > > that I hope will encourage use of Kerberos and TLS to help > > secure NFS mounts. Although I do not know why users choose > > to not use Kerberized NFS mounts, I think that the administrative > > issues related to the "machine credential" is a factor. > > This new option, which I have called "syskrb5" (feel free to > > suggest a better name), avoids the need for a Kerberos machine > > credential. > > > > > > > So, does this sound like something that should be committed > > to FreeBSD? > > > > speaking as an enduser.. > > this sounds pretty fantastic, i have several workloads in public > cloud that use NFS, and having this added layer of auth would be > really beneficial from a security perspective. i also like how > it should be much easier for me to manage as well. > > one question - do you see other NFS implementations getting ready > to roll out this support on their end? i ask because it would be > nice to have this client support working and well tested by the time > other vendors start offering this support server side. for example > AWS EFS. Well, there are three components: 1 - SP4_NONE, which is what the FreeBSD NFSv4.1/4.2 client always uses, so as far as I know, all the servers support it. (I have only been able to test against the FreeBSD and Linux knfsd at this point, so there may be surprises with other servers.) 2 - Kerberized NFSv4. It is required by the RFCs and is supported by at least most servers. I do not know if AWS EFS supports Kerberos? 3 - NFS-over-TLS (the RFC authors prefer RPC-with-TLS). At this time, only the FreeBSD server and a userland server called DesyFS (and maybe Ganesha) have support. There are experimental patches for the Linux knfsd, but I do not know how close they are to being in a mainstream kernel. Other server verdors should be working on this, but I have no idea what their current status is. #3 is not needed for this mount case, but it will be nice to have. (And the above may not be accurate. It is just what I have observed.) Thanks for your comments, rick > > thanks! > -pete > > -- > Pete Wright > pete@nomadlogic.org