Re: [PATCH nfs-utils] exportfs: make "insecure" the default for all exports

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, May 25, 2025 at 6:47 PM Rick Macklem <rick.macklem@xxxxxxxxx> wrote:
>
> On Sun, May 25, 2025 at 5:09 PM NeilBrown <neil@xxxxxxxxxx> wrote:
> >
> > On Mon, 26 May 2025, Chuck Lever wrote:
> > > On 5/20/25 9:20 AM, Chuck Lever wrote:
> > > > Hiya Rick -
> > > >
> > > > On 5/19/25 9:44 PM, Rick Macklem wrote:
> > > >
> > > >> Do you also have some configurable settings for if/how the DNS
> > > >> field in the client's X.509 cert is checked?
> > > >> The range is, imho:
> > > >> - Don't check it at all, so the client can have any IP/DNS name (a mobile
> > > >>   device). The least secure, but still pretty good, since the ert. verified.
> > > >> - DNS matches a wildcard like *.umich.edu for the reverse DNS name for
> > > >>    the client's IP host address.
> > > >> - DNS matches exactly what reverse DNS gets for the client's IP host address.
> > > >
> > > > I've been told repeatedly that certificate verification must not depend
> > > > on DNS because DNS can be easily spoofed. To date, the Linux
> > > > implementation of RPC-with-TLS depends on having the peer's IP address
> > > > in the certificate's SAN.
> > > >
> > > > I recognize that tlshd will need to bend a little for clients that use
> > > > a dynamically allocated IP address, but I haven't looked into it yet.
> > > > Perhaps client certificates do not need to contain their peer IP
> > > > address, but server certificates do, in order to enable mounting by IP
> > > > instead of by hostname.
> > > >
> > > >
> > > >> Wildcards are discouraged by some RFC, but are still supported by OpenSSL.
> > > >
> > > > I would prefer that we follow the guidance of RFCs where possible,
> > > > rather than a particular implementation that might have historical
> > > > reasons to permit a lack of security.
> > >
> > > Let me follow up on this.
> > >
> > > We have an open issue against tlshd that has suggested that, rather
> > > than looking at DNS query results, the NFS server should authorize
> > > access by looking at the client certificate's CN. The server's
> > > administrator should be able to specify a list of one or more CN
> > > wildcards that can be used to authorize access, much in the same way
> > > that NFSD currently uses netgroups and hostnames per export.
> > >
> > > So, after validating the client's CA trust chain, an NFS server can
> > > match the client certificate's CN against its list of authorized CNs,
> > > and if the client's CN fails to match, fail the handshake (or whatever
> > > we need to do).
> > >
> > > I favor this approach over using DNS labels, which are often
> > > untrustworthy, and IP addresses, which can be dynamically reassigned.
> > >
> > > What do you think?
> >
> > I completely agree with this.  IP address and DNS identity of the client
> > is irrelevant when mTLS is used.  What matters is whether the client has
> > authority to act as one of the the names given when the filesystem was
> > exported (e.g. in /etc/exports).  His is exacly what you said.
> Well, what happens when someone naughty copies the cert. to a different
> system?
> --> It is true that verification will show that the cert. is valid, but is it
>       valid for that client system?
>      (Not checking the reverse DNS name makes the check somewhat weaker,
>        imho.
I should have said "reverse name lookup" and not reverse DNS. Important fqdn
names can be put in /etc/hosts and the system configured to look there before
DNS. If that is done on the NFS server end, a problem with DNS spoofing should
be avoided, I think?

rick

>        Now, is having the IP address in the cert. and checking
>        that stronger.
>        Well, maybe. The hassle is that the certs. all have to be replaced when
>        some network type decides to reconfigure the LANs or move the system
>        onto a different subnet for some reason.)
>
> Another way a cert. can be protected from being moved to a different client
> by someone naughty is adding a passphrase to it (the -aes256 option on
> the openssl command line when creating the CSR). The hassle is that
> someone has to type the passphrase in when the system is started/rebooted.
>
> There is no perfect solution (or security is not a binary value, if
> you prefer), so
> I chose to provide as many options as I could, so that sysadmins could choose
> what works for them. (Of course, they need to understand what is going on and
> documenting that can be a challenge.)
>
> rick
>
> >
> > Ideally it would be more than just the CN.  We want to know both the
> > domain in which the peer has authority (e.g.  example.com) and the type
> > of authority (e.g.  serve-web-pages or proxy-file-access or
> > act-as-neilb).
> > I don't know internal details of certificates so I don't know if there
> > is some other field that can say "This peer is authorised to proxy file
> > access requests for all users in the given domain" or if we need a hack
> > like exporting to nfs-client.example.com.
> >
> > But if the admin has full control of what names to export to, it is
> > possible that the distinction doesn't matter.  I wouldn't want the
> > certificate used to authenticate my web server to have authority to
> > access all files on my NFS server just because the same domain name
> > applies to both.
> >
> > Thanks,
> > NeilBrown





[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux