From: Chuck Lever <chuck.lever@oracle.com>
To: Rick Macklem <rick.macklem@gmail.com>
Cc: NeilBrown <neil@brown.name>, Jeff Layton <jlayton@kernel.org>,
Steve Dickson <steved@redhat.com>, Tom Haynes <loghyr@gmail.com>,
linux-nfs@vger.kernel.org
Subject: Re: [PATCH nfs-utils] exportfs: make "insecure" the default for all exports
Date: Sun, 25 May 2025 13:29:37 -0400 [thread overview]
Message-ID: <d539c502-e776-460f-852c-8af9722ad9f8@oracle.com> (raw)
In-Reply-To: <8aa0e4bc-c95e-469c-9aeb-59e2f103a604@oracle.com>
On 5/20/25 9:20 AM, Chuck Lever wrote:
> Hiya Rick -
>
> On 5/19/25 9:44 PM, Rick Macklem wrote:
>
>> Do you also have some configurable settings for if/how the DNS
>> field in the client's X.509 cert is checked?
>> The range is, imho:
>> - Don't check it at all, so the client can have any IP/DNS name (a mobile
>> device). The least secure, but still pretty good, since the ert. verified.
>> - DNS matches a wildcard like *.umich.edu for the reverse DNS name for
>> the client's IP host address.
>> - DNS matches exactly what reverse DNS gets for the client's IP host address.
>
> I've been told repeatedly that certificate verification must not depend
> on DNS because DNS can be easily spoofed. To date, the Linux
> implementation of RPC-with-TLS depends on having the peer's IP address
> in the certificate's SAN.
>
> I recognize that tlshd will need to bend a little for clients that use
> a dynamically allocated IP address, but I haven't looked into it yet.
> Perhaps client certificates do not need to contain their peer IP
> address, but server certificates do, in order to enable mounting by IP
> instead of by hostname.
>
>
>> Wildcards are discouraged by some RFC, but are still supported by OpenSSL.
>
> I would prefer that we follow the guidance of RFCs where possible,
> rather than a particular implementation that might have historical
> reasons to permit a lack of security.
Let me follow up on this.
We have an open issue against tlshd that has suggested that, rather
than looking at DNS query results, the NFS server should authorize
access by looking at the client certificate's CN. The server's
administrator should be able to specify a list of one or more CN
wildcards that can be used to authorize access, much in the same way
that NFSD currently uses netgroups and hostnames per export.
So, after validating the client's CA trust chain, an NFS server can
match the client certificate's CN against its list of authorized CNs,
and if the client's CN fails to match, fail the handshake (or whatever
we need to do).
I favor this approach over using DNS labels, which are often
untrustworthy, and IP addresses, which can be dynamically reassigned.
What do you think?
--
Chuck Lever
next prev parent reply other threads:[~2025-05-25 17:29 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-13 13:50 [PATCH nfs-utils] exportfs: make "insecure" the default for all exports Jeff Layton
2025-05-13 14:17 ` Chuck Lever
2025-05-13 15:14 ` Lionel Cons
2025-05-13 15:35 ` Jeff Layton
2025-05-13 16:11 ` Chuck Lever
2025-06-04 17:12 ` Cedric Blancher
2025-06-04 18:20 ` Chuck Lever
2025-05-14 2:16 ` NeilBrown
2025-05-14 2:28 ` NeilBrown
2025-05-14 11:17 ` Jeff Layton
2025-05-14 11:43 ` NeilBrown
2025-05-14 12:02 ` Jeff Layton
2025-05-14 21:58 ` NeilBrown
2025-05-14 12:56 ` Chuck Lever
2025-05-14 21:47 ` NeilBrown
2025-05-15 12:01 ` Chuck Lever
2025-05-15 21:44 ` NeilBrown
2025-05-16 12:09 ` Chuck Lever
2025-05-19 6:02 ` NeilBrown
2025-05-19 11:39 ` Jeff Layton
2025-05-19 14:16 ` Chuck Lever
[not found] ` <4bee9565-c2a8-4b90-be57-7d1340fa9ed7@esat.kuleuven.be>
2025-05-19 20:51 ` Chuck Lever
2025-05-20 1:44 ` Rick Macklem
2025-05-20 13:20 ` Chuck Lever
2025-05-25 17:29 ` Chuck Lever [this message]
2025-05-26 0:09 ` NeilBrown
2025-05-26 1:47 ` Rick Macklem
2025-05-26 1:52 ` Rick Macklem
2025-05-26 2:29 ` NeilBrown
2025-05-28 0:57 ` Rick Macklem
2025-05-27 13:28 ` Chuck Lever
2025-05-27 15:05 ` Chuck Lever
2025-05-27 15:58 ` Rick Macklem
2025-05-27 16:29 ` Rick Macklem
2025-05-27 16:58 ` Chuck Lever
2025-05-28 1:06 ` Rick Macklem
2025-05-27 19:18 ` Benjamin Coddington
2025-05-27 19:41 ` Chuck Lever
2025-05-27 20:25 ` Benjamin Coddington
2025-05-28 14:07 ` Chuck Lever
2025-05-28 1:24 ` NeilBrown
2025-05-28 2:48 ` Rick Macklem
2025-05-14 11:46 ` Chuck Lever
2025-05-14 12:28 ` Thomas Haynes
2025-05-14 21:49 ` NeilBrown
2025-05-14 2:38 ` NeilBrown
2025-05-14 11:20 ` Jeff Layton
2025-05-15 1:32 ` Christopher Bii
2025-05-21 9:06 ` Sebastian Feld
2025-05-21 12:25 ` Jeff Layton
2025-05-21 13:14 ` Chuck Lever
2025-05-21 13:43 ` Chuck Lever
2025-06-04 17:07 ` Cedric Blancher
2025-06-04 18:26 ` Steve Dickson
2025-06-04 18:45 ` Cedric Blancher
2025-06-04 19:17 ` Jeff Layton
2025-06-04 19:53 ` Steve Dickson
2025-06-05 16:48 ` Trond Myklebust
2025-06-05 18:09 ` Chuck Lever
2025-06-05 8:20 ` Cedric Blancher
2025-06-05 13:54 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d539c502-e776-460f-852c-8af9722ad9f8@oracle.com \
--to=chuck.lever@oracle.com \
--cc=jlayton@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=loghyr@gmail.com \
--cc=neil@brown.name \
--cc=rick.macklem@gmail.com \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox