From: Chuck Lever <chuck.lever@oracle.com>
To: NeilBrown <neil@brown.name>
Cc: Jeff Layton <jlayton@kernel.org>,
Steve Dickson <steved@redhat.com>, Tom Haynes <loghyr@gmail.com>,
linux-nfs@vger.kernel.org
Subject: Re: [PATCH nfs-utils] exportfs: make "insecure" the default for all exports
Date: Mon, 19 May 2025 10:16:25 -0400 [thread overview]
Message-ID: <780a7e7a-b8c4-4ebf-ab79-d1480afb6b6f@oracle.com> (raw)
In-Reply-To: <174763456358.62796.11640858259978429069@noble.neil.brown.name>
On 5/19/25 2:02 AM, NeilBrown wrote:
> On Fri, 16 May 2025, Chuck Lever wrote:
>>
>> Fair enough. We'll focus on improving the man page text for now.
>>
>
> Has anyone volunteered to do that?
Jeff has, but thank you for the text!
> I haven't added anything about mtls as I couldn't find out how nfsd
> interprets the identity presented in the client-side certificate. If
> the identity is a "machine identity" then sec=sys would make sense on
> that connection. If the identity is for a specific user and can map to
> a uid, the all_squash,anon=UID should be imposed on that connection.
>
> Can you point me to any documentation about how the client certificate
> is interpreted by nfsd?
A TLS handshake is rejected if the server does not recognize the client
certificate's trust chain, as is standard practice for TLS with other
upper layer protocols. Therefore, when an export requires mtls, the
client must present a certificate and the server must recognize the
granting CA for that cert. In recent nfs-utils, there is a "Transport
layer security" section in exports(5) that might be updated to include
that information.
According to RFC 9289, client certificates are machine identities. To
identify a squash user, we plan to adopt the FreeBSD mechanism where
user squashing instructions can be included in the client certificate as
part of the Subject Alternate Name. This is not documented because it is
not yet implemented in Linux (but FreeBSD client and server do currently
implement this mechanism).
--
Chuck Lever
next prev parent reply other threads:[~2025-05-19 14:16 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-13 13:50 [PATCH nfs-utils] exportfs: make "insecure" the default for all exports Jeff Layton
2025-05-13 14:17 ` Chuck Lever
2025-05-13 15:14 ` Lionel Cons
2025-05-13 15:35 ` Jeff Layton
2025-05-13 16:11 ` Chuck Lever
2025-06-04 17:12 ` Cedric Blancher
2025-06-04 18:20 ` Chuck Lever
2025-05-14 2:16 ` NeilBrown
2025-05-14 2:28 ` NeilBrown
2025-05-14 11:17 ` Jeff Layton
2025-05-14 11:43 ` NeilBrown
2025-05-14 12:02 ` Jeff Layton
2025-05-14 21:58 ` NeilBrown
2025-05-14 12:56 ` Chuck Lever
2025-05-14 21:47 ` NeilBrown
2025-05-15 12:01 ` Chuck Lever
2025-05-15 21:44 ` NeilBrown
2025-05-16 12:09 ` Chuck Lever
2025-05-19 6:02 ` NeilBrown
2025-05-19 11:39 ` Jeff Layton
2025-05-19 14:16 ` Chuck Lever [this message]
[not found] ` <4bee9565-c2a8-4b90-be57-7d1340fa9ed7@esat.kuleuven.be>
2025-05-19 20:51 ` Chuck Lever
2025-05-20 1:44 ` Rick Macklem
2025-05-20 13:20 ` Chuck Lever
2025-05-25 17:29 ` Chuck Lever
2025-05-26 0:09 ` NeilBrown
2025-05-26 1:47 ` Rick Macklem
2025-05-26 1:52 ` Rick Macklem
2025-05-26 2:29 ` NeilBrown
2025-05-28 0:57 ` Rick Macklem
2025-05-27 13:28 ` Chuck Lever
2025-05-27 15:05 ` Chuck Lever
2025-05-27 15:58 ` Rick Macklem
2025-05-27 16:29 ` Rick Macklem
2025-05-27 16:58 ` Chuck Lever
2025-05-28 1:06 ` Rick Macklem
2025-05-27 19:18 ` Benjamin Coddington
2025-05-27 19:41 ` Chuck Lever
2025-05-27 20:25 ` Benjamin Coddington
2025-05-28 14:07 ` Chuck Lever
2025-05-28 1:24 ` NeilBrown
2025-05-28 2:48 ` Rick Macklem
2025-05-14 11:46 ` Chuck Lever
2025-05-14 12:28 ` Thomas Haynes
2025-05-14 21:49 ` NeilBrown
2025-05-14 2:38 ` NeilBrown
2025-05-14 11:20 ` Jeff Layton
2025-05-15 1:32 ` Christopher Bii
2025-05-21 9:06 ` Sebastian Feld
2025-05-21 12:25 ` Jeff Layton
2025-05-21 13:14 ` Chuck Lever
2025-05-21 13:43 ` Chuck Lever
2025-06-04 17:07 ` Cedric Blancher
2025-06-04 18:26 ` Steve Dickson
2025-06-04 18:45 ` Cedric Blancher
2025-06-04 19:17 ` Jeff Layton
2025-06-04 19:53 ` Steve Dickson
2025-06-05 16:48 ` Trond Myklebust
2025-06-05 18:09 ` Chuck Lever
2025-06-05 8:20 ` Cedric Blancher
2025-06-05 13:54 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=780a7e7a-b8c4-4ebf-ab79-d1480afb6b6f@oracle.com \
--to=chuck.lever@oracle.com \
--cc=jlayton@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=loghyr@gmail.com \
--cc=neil@brown.name \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox