From nobody Tue Apr 09 22:24:24 2024
X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VDgVs6BFxz5G8CM
	for <freebsd-fs@mlmmj.nyi.freebsd.org>; Tue,  9 Apr 2024 22:24:37 +0000 (UTC)
	(envelope-from rick.macklem@gmail.com)
Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4VDgVs04Rmz40Qd
	for <freebsd-fs@freebsd.org>; Tue,  9 Apr 2024 22:24:37 +0000 (UTC)
	(envelope-from rick.macklem@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=ckiry7Q2;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (mx1.freebsd.org: domain of rick.macklem@gmail.com designates 2607:f8b0:4864:20::1034 as permitted sender) smtp.mailfrom=rick.macklem@gmail.com
Received: by mail-pj1-x1034.google.com with SMTP id 98e67ed59e1d1-2a2d82537efso3576355a91.2
        for <freebsd-fs@freebsd.org>; Tue, 09 Apr 2024 15:24:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1712701475; x=1713306275; darn=freebsd.org;
        h=content-transfer-encoding:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+JkYkdknVlVY7xSMCcMMhYBgXKcWVm7SFtsn6ndTNbM=;
        b=ckiry7Q2oUcg6VFesQ6s2Buy6jsW3O63WUbaJmemFptYNd78IvneNn7xFjJu1AAIHf
         YLcEmoJwIXEV1OByatQ/d1G2lNcXuZEEMtHubrRoxOCriGecaW1LOQEsT967q3IqIX1P
         BaC7/F0Y7naUwRCY2z7H2nMrozjugpxjpuQL4Xcl5XIlEV7dp716x1ON0+Jk4oTfWBwi
         hLkEFR4XZL3rd9VczfTzCXCLPdpS9xb+qMYnTlni/uZhr5NMTaVcWwCrFEagFln7jjJH
         wgXCCXa9OyuKA8tjFgB8Hgt+kIfbw30lTq9UXdpJtpvEVA7hN5/MbG4BBvFuKa2aZHfm
         sMBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712701476; x=1713306276;
        h=content-transfer-encoding:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=+JkYkdknVlVY7xSMCcMMhYBgXKcWVm7SFtsn6ndTNbM=;
        b=SacRm5E399UUOYvt52DGDeCykZagQOvyIdjic6BtUyZg2lz6op3Rr+VGPVtU1xlmpG
         o3X4hHrSgLNy9U8SUQJklKVu6wLTVHQ/p6rekyv8CGIdtK/uciZrR5re5wTEwQ0Xv1FB
         /9GTRxElx7Kq/dFrNlzaDazStiC5cBXjrFJK7lyqkjWzzqBTuIDS4iJ9g0TBZyoLcVVC
         GHD4cm7PHejF/iON1TtI/iT1kWxSx9G8wYhAe68JEnvP5vivg0ax1h5MeGSHycEpupb/
         yrNoojLFJwz+38P3ouC43ASRgjbS46LksnA97GOeYxJrgL4KsnUqeC2mPTTvBtpMZ+o9
         yOuQ==
X-Forwarded-Encrypted: i=1; AJvYcCUviQ7OFGj5fzXicUwCImD4aXy/nD7fRg7XnxzA2qkx5xDDicZz6+j53FP+UMCMQmCiKNIJ69whzD3keEtk1dQsFSeuYgGA
X-Gm-Message-State: AOJu0Ywvvcfbwkk6pCd8r3tnIV+0FCJdL+j0/RTyy22j8BccUUrdajB1
	jSe89icGv9cTCjTKMdEd4EqDz91yQokNZa6PfaxmdkbEMQ72RRq4GsvQhifK0JzJIn7wg8G3dXI
	Rot8Jau8mxa4lVS5FHtWM3u6h6g==
X-Google-Smtp-Source: AGHT+IH8sATo/tkEDUtzAOyc5/lCc7diD8pz0hbqBj3ZZkmC4VDmEo+HyG8S0+qz9g00flVV42PaOcoviFdJX8Ul1rM=
X-Received: by 2002:a17:90a:4924:b0:2a2:dcee:f537 with SMTP id
 c33-20020a17090a492400b002a2dceef537mr999082pjh.33.1712701475480; Tue, 09 Apr
 2024 15:24:35 -0700 (PDT)
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-fs
List-Help: <mailto:freebsd-fs+help@freebsd.org>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Subscribe: <mailto:freebsd-fs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-fs+unsubscribe@freebsd.org>
Sender: owner-freebsd-fs@freebsd.org
MIME-Version: 1.0
References: <ZgNiZsYl6D-GnRwI@shipon.lysator.liu.se> <CAM5tNy53suTizsOmsKvN9Zrd6LciAFrS3PEctUJjK+HH9QcMrw@mail.gmail.com>
 <CAM5tNy7YM6bRKTX3pLR8hC-a-cmxXA=wv4j0E8cBWGthbxzLdQ@mail.gmail.com>
 <ZgRUqkl1zVxMPt6K@shipon.lysator.liu.se> <CAM5tNy68W16ut4vR1Y9xxPwaU+T+t8fU8dwg3DbfhMT5h5iEDQ@mail.gmail.com>
 <ZgVKehV_9ePUBdwd@shipon.lysator.liu.se> <CAM5tNy4ye6BwYAZ+VYQOgDnSjAmyg+CCu=XCm-+DZucfrfwgKw@mail.gmail.com>
 <CAM5tNy4+bUc0VMY8i_E9P-pT0CEOXHpKzitMuKYzydH465OBGg@mail.gmail.com>
 <ZgiIAyDKPlCr1c9C@shipon.lysator.liu.se> <CAM5tNy5GbbZSJ3sOALx6zUkZz_7BJGzQ_63srVK88RFecb_eCQ@mail.gmail.com>
 <ZhW5zHRftoLI6Z4k@shipon.lysator.liu.se>
In-Reply-To: <ZhW5zHRftoLI6Z4k@shipon.lysator.liu.se>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Tue, 9 Apr 2024 15:24:24 -0700
Message-ID: <CAM5tNy5TX3-bwXdeXLj3DgGQ60wPWz5F_sX6J=N13eaVqROq2w@mail.gmail.com>
Subject: Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access
To: Andreas Kempe <kempe@lysator.liu.se>, Freebsd fs <freebsd-fs@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spamd-Bar: ---
X-Spamd-Result: default: False [-3.99 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.99)[-0.991];
	DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601];
	MIME_GOOD(-0.10)[text/plain];
	TO_DN_ALL(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	ARC_NA(0.00)[];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	TAGGED_FROM(0.00)[];
	FREEMAIL_FROM(0.00)[gmail.com];
	MIME_TRACE(0.00)[0:+];
	FROM_HAS_DN(0.00)[];
	MISSING_XM_UA(0.00)[];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-fs@freebsd.org];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	DKIM_TRACE(0.00)[gmail.com:+];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	MLMMJ_DEST(0.00)[freebsd-fs@freebsd.org];
	RCVD_COUNT_ONE(0.00)[1];
	RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::1034:from]
X-Rspamd-Queue-Id: 4VDgVs04Rmz40Qd

On Tue, Apr 9, 2024 at 2:57=E2=80=AFPM Andreas Kempe <kempe@lysator.liu.se>=
 wrote:
>
> Thank you for all your help, Rick!
>
> I have spent a few too many hours trying to get this to work and have
> decided to give up on Kerberos and keep running sec=3Dsys for the time
> being. Once all our Linux clients become modern enough, I might give
> TLS a shot instead.
Just fyi (and for others reading this), using NFS over TLS provides somewha=
t
different security.
Both sec=3Dkrb5p and NFS over TLS provide encryption on the wire, but
Kerberos provides user authentication and TLS does not.
TLS does optionally allow the client to provide a X.509 certificate during
TLS handshake, which is typically used to identify the client system and
not a user.

There is one exception for NFS over TLS, typically referred to as
"TLS identity squashing" where a single user is identified in the TLS
certificate the client presents to the server.
For this case, all RPCs on the mount are done as that user.
(Useful for cases like personal laptops/desktops, but not for generic
mounts.)

So, if your main security concern is "unencrypted data on the wire"
NFS over TLS is attractive. However, if your main security concern
is "malicious users on client machines", NFS over TLS does not
help much, unless you can map all users on the client to one user
on the server.

rick

>
> Best regards,
> Andreas Kempe