Re: [nfsv4] NFS over TLS for floating clients

Rick Macklem <> Wed, 01 April 2020 19:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 485793A180F for <>; Wed, 1 Apr 2020 12:26:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zrk8U59jzoia for <>; Wed, 1 Apr 2020 12:26:11 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 41BFF3A180D for <>; Wed, 1 Apr 2020 12:26:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=Ek7smN271k3IJlF5O6OIZC7soWu7WMFZ0VFMpJ6PfWcthjm81kuawAvCXfEawQCQeuitg2rnHj2l2FJpPtdN+Z+qrOGlk3vFqZJtGlZsEWT2s6AjgfGXBcveOjRlE0m9T1O2598KRf7dZ1slB+kGeqfeWO0WEU9xSK+M8zUG7cGldcF+ePs+u7K8MWl7+khAR+Bix2xPZJsTsrMaHhECBXicR9EcwUl1iA2k10OqHTqixV8yT9Nggy5HXv7250QGA7ciyaAYYon3PdKm/cvaj5QZMlBS/TuDfS6SNyuXcSZu83o6JK+nSvumvZClrKDkTUI/ps+FTe+hYpROIgirkQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HmnfSCTmxNg+seh5NeWXDwveZnw7D4UkXHGlxHd/7ls=; b=lBuJmKoh62Ng/5bSYOPcPwQC4Ck7AjPI58foZ5vKrR7rL+qGHLO0R7VpCqWICCR9UruI5C/LmwDb1hYhbwlQOXe302yJY85aqLVfBaaSTi0I6jSOp1J1x/7RhBgZCBT4uYaNdBVLOek2qY2I5UE/tZJoPEvdKDwFMUiN/Sr7BOH/q5p9cyqUP9r6pO0wxHLjEyo0YhUOowjOPXdvGKzd7ZT0uHqTb3RtgQpD3rH+u/K8F7yDCxpd0+9Ix3g7C2nasBs2OOmTjtpt5sk3DEZ+lnFSjGZrMMIux8XtIo26A6qS83gcLPoeA8ls0pspNA1iA5Jo9IKpwCWQNIjpxyOJgw==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
Received: from QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM ( by QB1PR01MB2771.CANPRD01.PROD.OUTLOOK.COM ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.18; Wed, 1 Apr 2020 19:26:09 +0000
Received: from QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM ([fe80::ed8c:7662:79ba:5f9f]) by QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM ([fe80::ed8c:7662:79ba:5f9f%5]) with mapi id 15.20.2856.019; Wed, 1 Apr 2020 19:26:09 +0000
From: Rick Macklem <>
To: Benjamin Kaduk <>
CC: Craig Everhart <>, Trond Myklebust <>, "" <>
Thread-Topic: [nfsv4] NFS over TLS for floating clients
Thread-Index: AQHV82BAxp9O6fa7qEu4EnWyACrtOKg77jqAgAAISoCAADDgO4Aiyq+AgAGITzuAAa3vAIACo+Gj
Date: Wed, 1 Apr 2020 19:26:09 +0000
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f843e4ae-7e23-43d1-95cd-08d7d67287fe
x-ms-traffictypediagnostic: QB1PR01MB2771:
x-microsoft-antispam-prvs: <QB1PR01MB277187FCD9875E6945518A2BDDC90@QB1PR01MB2771.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03607C04F0
x-forefront-antispam-report: CIP:; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(39860400002)(136003)(366004)(346002)(376002)(396003)(786003)(66446008)(966005)(33656002)(8676002)(64756008)(30864003)(478600001)(66946007)(7696005)(76116006)(6506007)(186003)(81156014)(86362001)(53546011)(52536014)(66476007)(66556008)(2906002)(54906003)(8936002)(55016002)(6916009)(9686003)(81166006)(316002)(71200400001)(66574012)(5660300002)(4326008); DIR:OUT; SFP:1101;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: gZb6+DzPpk8/bo0+Ul0WcBsdUU6nSvc1mf9Ujd4PHHW/zRibChF3nanjL5uD1ZoQ6jxZmhiz9tGMinhlF9v3nCCIwOvhE5Ir6E8JTzApl8ExueDfwiHi4gLm7LWP6V0PwDhwk2L9G2k+mPvfhTPE78ITQCYmQBcxJFhUD2jStk7HSAEiq6Ux15dno6SXvlMooHHBgu0iHf1fUQmmmxcRRuMF4iHV/UaIVwiwNaIdyog6+Gz55t9uXZ6rTPBEoq9JoFKqXZoVCcHa6E06pxvlUEQNUlM96LIpHnRlMfZ33xqdpdRCKpA+x3OAB+ibYzRi7fYMMYg6cGz8rxT8ZgowUdm8mj7GucoeS8N1u5ZSeHRrNKjjewZ22C1iYc1z8iyI5F1PBPQP5B2sj3EKP6nNd6A26hUA50UP1aesTrMavYHn6Q9BLRy0fxqIZawPcc78+4cBOPpRgJO9KR/U2ZjQLBdwipKzhN3JMs4Ey0OvGWvEDYq/o9RR4l6DrDVEiQzo6v6y9E5FBmSJmVdwr9ztBg==
x-ms-exchange-antispam-messagedata: A1KTBmnHHVy4BtTvh+pP6VtS4E7/J0aNIwbziAmrUknTeRxtSjM1mP0ZluDKRqF2MThhgNIZ1Q+WDRMTmubE1AEICrqyGmefOR6zbMZB6cwpahOwzibF/VssdeebsU4i4X9J5H7ht6SGe1Ym8mHisoObC6wPOPxmb5TYbXuPbmBJ0I65OHQwb3P99Yj2tjcTfs7UA+yYWqJSbih3vWUKFg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: f843e4ae-7e23-43d1-95cd-08d7d67287fe
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Apr 2020 19:26:09.1469 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 2UhEdJGm0E1l1cvG91xcaaMPkhMEQdLaJmVJUqnWpvHUEMFjU4TYswwkjD49K2QmySJdhcTDb17LnORx2L+ORw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: QB1PR01MB2771
Archived-At: <>
Subject: Re: [nfsv4] NFS over TLS for floating clients
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 01 Apr 2020 19:26:15 -0000

Benjamin Kaduk wrote:
>On Mon, Mar 30, 2020 at 02:16:46AM +0000, Rick Macklem wrote:
>> Benjamin Kaduk wrote:
>> >On Fri, Mar 06, 2020 at 10:47:29PM +0000, Rick Macklem wrote:
>> >> Craig Everhart wrote:
>> >> >I think the problem statement contains the issue here:
>> >> >> Here's an example scenario:
>> >> >> - The client is a laptop that wants to mount a server from "anywhere" using
>> >> >>   TLS, so that data is encrypted on the wire.
>> >> >>   The server understandably wants to use "mutual authentication" to determine
>> >> >>   that the client is indeed one that is allowed to mount the server.
>> >> >What attribute is the server looking for that will "allow" the server to be mounted?
>> >> >And can it be done anonymously, which this "anywhere" laptop really wants to be?
>> >> >
>> >> >Note that on-the-wire encryption will be done even if there is no client certificate--as long as >the server has a certificate (or if the client/server are using a pre-shared key, which is a little >further afield).
>> >> Yes, but I wouldn't be comfortable with "any" client mounting from anywhere.
>> >
>> >The NFS server can decide which X.509 CAs it will trust to issue
>> >certificates that it wants to use.  Whether this is a "well-known global
>> >CA" or a local one is just a matter of configuration, and doesn't really
>> >need to be nailed down at a protocol level.
>> >
>> >> >If the client owns a domain, somehow, then the PKI machinery is available to it; a certificate >will allow it to prove that it is able to speak for that domain name.  Is that what's being >checked as this stuff about "allowing" the mount?
>> >> Well, I didn't envision the laptop owning a domain, but I suppose that might work.
>> >> (Since the laptop's IP address/DNS host name wouldn't match this domain, it sounds
>> >>  a bit sketchy, but so is the use of a certificate signed by the NFS admin using a site
>> >>  local CA, see below.)
>> >
>> >There's a little bit of a mismatch between what TLS client certificates say
>> >and what TLS server certificate say, at least in the common class of usage.
>> >If you read RFC 6125, you note that it *only* talks about naming TLS server
>> >certificates, because the process for that is along the lines of "the
>> >client figures out in some mechanism specified by the application protocol
>> >a name that it's trying to contact, and the server has to present a
>> >certificate that matches that desired name".  For client certificates, on
>> >the other hand, the server may not have some preconceived notion of what
>> >identity the client should be proving, and so the X.509 certificate serves
>> >solely as an identifier, not a verification of identity.  In this sense,
>> >depending on the server's authentication policy, there's not necessarily a
>> >need for the client to have a well-known IP address or DNS name to validate
>> >against.
>> A case I've coded up that may or may not be allowed by the current draft is:
>> - Optionally, if the client presents a certificate to the server that verifies and
>>    where the CN is of the form "user@dns_domain", then this "user" is translated
>Oof, could I persuade you to go with a subjectAltName instead?  Putting
>structure within (or really, using at all) the legacy subject CN is
>generally disrecommended.
I've changed it to use the otherName field of subjectAltName.
I haven't figured out a nice way to input this to openssl, but inputting:,otherName:;UTF8:rick@my.domain

>>    to a set of credentials used for all RPCs on the TCP connection instead of
>>    what is   provided in the RPC request header. I put "user" in quotes because
>>    I think you can argue that this is the identity of the client host and the server
>>    chooses to assign credentials to that client identity.
>>    (Basically, I'd argue that, for laptops, the line between "user" and "host" is fuzzy
>>     and normally one and the same.)
>This is a unique-enough usage that I'd recommend a dedicated OID for the
"otherName" SAN type.

Any quick hints on how I get an OID?

>>> As for the current draft, it says:
>>> (end of sec. 4.2)
>>> In either of these modes, RPC user authentication is not affected by
>>>    the use of transport layer security.  When a client presents a TLS
>>>    peer identity to an RPC server, the protocol extension described in
>>>    the current document provides no way for the server to know whether
>>>    that identity represents one RPC user on that client, or is shared
>>>    amongst many RPC users.
>> True, although there is the case where there is only one user on the client
>> and that is known by the server administrator.
>>  Therefore, a server implementation must not
>>    utilize the remote TLS peer identity for RPC user authentication.
>> I would argue that this is a server implementation choice and does not
>> affect the protocol.
>I'm inclined to agree with Chuck -- this is passing information across
>layers of the protocol stack in a way that is not well understood, and the
>spec forbids it because of the potential for hazardous consequences.
True. I am going to respond to Chuck's comments in a separate post
(since they are not here).


> (in sec. 7.3)
> In light of the above, it is RECOMMENDED that when AUTH_SYS is used,
>    every RPC client should present host authentication material to RPC
>    servers to prove that the client is a known one.  The server can then
>    determine whether the UIDs and GIDs in AUTH_SYS requests from that
>    client can be accepted.
> I would argue this is what the above case does.

I would frame it differently, in that the client is authenticating itself
and the server is (possibly implicitly) restricting that client to only
allow AUTH_SYS authentication to a specific subset of users (possibly only
one).  But it's the client that authenticates with host credentials and
asserting user identity, and the server trusting the client to faithfully
represent the user identity.

> The use of TLS does not enable RPC clients to detect compromise that
>    leads to the impersonation of RPC users.  Also, there continues to be
>    a requirement that the mapping of 32-bit user and group ID values to
>    user identities is the same on both the RPC client and server.
> Doing the above solves/avoids this problem.
> I do feel the above case can be useful (optionally, not always) and I would
> appreciate comments w.r.t. it.
> If others think it is a reasonable approach, it would be nice if the draft allowed
> it, but I can leave it in the FreeBSD code, noting it is "non-RFC conformant".
> >> >I think that there's a problem with the NFS server wanting to know much about the client, >unless it's limited to a DNS name.
> >> Well, my thinking is that, if the NFS admin. is running a site local CA and the client has
> >> a certificate signed by that site local CA, then the certificate must have been issued by
> >> the NFS admin. I don't think the contents of the certificate is of much use in this case,
> >> just the fact it was signed by the NFS admin. using the site local CA.
> >> Creating the site local CA just seems easier and cheaper than trying to register a
> >> domain name for a laptop and getting a certificate signed by a trusted CA.
> >> After all, some of the motivation for doing NFS over TLS is that NFS admins. don't
> >> seem willing to run KDCs, etc and use sec=krb5p. To get it widely adopted, I think
> >> it needs to be relatively simple to set up and use.
> >>
> >> Obviously, if the laptop is compromised and the certificate signed by the site local CA
> >> is copied to a different system, then that system could mount the server.
> >> (I think exactly the same risk exists for a certificate for a domain owned by the laptop
> >>  and signed by a trusted CA. ie. Copy the certificate to a different system and it
> >>  would allow that system to mount the server.)
> >> Whether or not that is an acceptable risk is up to the NFS admin, I think?
> >
> >It's also possible to put the private key for the certificate in a
> >protected hardware module on the laptop, so that the key cannot be copied
> >elsewhere (and thus the copied certificate would not be useful).
> I'll admit I know nothing about protected hardware modules, but it is easy
> to have the client's private key encrypted so that the user must enter a
> passphrase when they start the daemon to unencrypt the key.
> --> A bit of a bother, but not that bad for a laptop.
>    (Of course, if the client laptop is compromised, the typed in passphrase could
>     be captured, but this handles the simple case of the key, certificate being copied
>     to a different laptop.)

"PKCS #11 hardware token" is probably the best search term to start with.
(There is at least one implementation that uses software to emulate this
interface as well, for testing.)

> Also, for my CN set to "user@dns_domain" case, the certificate only allows access
> to the NFS server as "user" and is less useful if compromised.

It's also possible to define a new certificate purpose via X.509 extension
for NFS use.  I'd have to reflect a bit more on whether that's the right
thing to do here (and possibly consult the LAMPS WG as well).


> Thanks for your comments, rick
> > rick
> > Craig
> >
> > On Fri, Mar 6, 2020 at 2:08 PM Trond Myklebust <<>> wrote:
> > On Thu, 5 Mar 2020 at 22:06, Rick Macklem <<>> wrote:
> > >
> > > Hi,
> > >
> > > As I am working through implementation of NFS over TLS, I have run into
> > > a couple of things related to certificates.
> > > Here's an example scenario:
> > > - The client is a laptop that wants to mount a server from "anywhere" using
> > >   TLS, so that data is encrypted on the wire.
> > >   The server understandably wants to use "mutual authentication" to determine
> > >   that the client is indeed one that is allowed to mount the server.
> > >
> > > Ok, so now how do you get a certificate for the client that the server can
> > > reasonably verify?
> > > --> After a discussion over on a FreeBSD mailing list, it sounds like the easy
> > >       (maybe only?) way to do this is for the NFS server admin. to run a site local
> > >       CA and generate certificates against that.
> > >       - Although I'm sure there are other ways, you can create a site local CA
> > >          certificate with two openssl commands and sign a certificate for a client
> > >          with two more openssl commands.
> > >      Then the server can verify the certificate using the CAcert that was used to
> > >      sign the client's certificate.
> >
> > It really boils down to the question of who do you trust to assert
> > what information.
> >
> > If you own a domain, you can usually buy SSL certificates for it that
> > assert a given name within that domain. As long as you trust the major
> > CA vendors not to sell such a certificate to someone who does not own
> > the rights to the domain, then you might have your server use that
> > chain of trust to verify that this is indeed a trusted laptop. You
> > might decide to compare the full name appearing in the certificate to
> > a trusted list, or maybe just verify that the domain or subdomain info
> > matches a list of trusted domains or subdomains. Yes, you can do this
> > more cheaply by creating your own site-local CA, but it is essentially
> > the same process of setting up a chain of trust for your source of
> > information and then of asserting that information in a certificate.
> >
> > > Now, when I read the sections around Page 6 of the draft...
> > >    Mutual Host Authentication
> > >       In this type of deployment, the client possesses a unique global
> > >       identity (e.g., a certificate).  As part of the TLS handshake,
> > >       both peers authenticate using the presented TLS identities.  If
> > >       authentication of either peer fails, or if authorization based on
> > >       those identities blocks access to the server, the client
> > >       association MUST be rejected.
> > > For the above, the client does not possess a unique global identity,
> > > it might more correctly be called a "site local identity" that the server
> > > can authenticate.
> > > Is the "unique global identity" requirement necessary? It seems to me
> > > that a site local CA issued certificate might be appropriate.
> > > (RFC 5280 page 12, second (a) item seems to allow site local CA
> > >  certificates).
> >
> > It might be better to word in terms of the language of chains of
> > trust. "...the client possesses an identity (e.g. a certificate) that
> > is backed by a trusted entity."
> I think there's a few different ways to word this, and don't expect us to
> be particularly sensitive to the details of the wording.  As Tigram(IIRC?)
> noted upstream, the combination of issuer, key, and subject name really
> will be globally unique, so the current wording doesn't seem technically
> wrong, albeit an unusual way to phrase it.
> -Ben
> > > Also, w.r.t. server certificates, the draft says:
> > >    Each RPC server that supports RPC-over-TLS MUST possess a unique
> > >    global identity (e.g., a certificate that is signed by a well-known
> > >    trust anchor).  Such an RPC server MUST request a TLS peer identity...
> > > I wonder if the above must be a MUST?
> > > For example, I have an NFS server at home. It doe not have a well known
> > > fixed DNS address (residential internet connection, where it sits behind
> > > a NAT gateway where the address stays the same most of the time).
> > > --> If I want to mount this server from anywhere, I do want to use TLS
> > >       so that data is encrypted on the wire. Although it would be nice for
> > >       the laptop to be able to verify the server's identity, I don't see how I
> > >       can get a certificate for it from a well known trust anchor. I can live
> > >       with it having a self-signed certificate.
> > >
> > > Also, although an NFS server administrator can get a certificate from a
> > > well known trust anchor, it might cost $$ or it might not be easy. (Lets
> > > Encrypt expects to be able to use ACME on a web site or similar to issue
> > > a certificate, if I understand their setup?)
> > >
> > > Acquiring a certificate from a "well known trust anchor" might be a
> > > significant effort that will discourage use of TLS. (Again, you can easily
> > > create a self-signed certificate with a couple of openssl commands.)
> > > --> Maybe this could be a recommendation instead of a MUST and
> > >        the choice of accepting a self-signed certificate be left up to the
> > >        client via configuration?
> > >
> > > So, what do others think about this? rick
> > >
> > >
> > > _______________________________________________
> > > nfsv4 mailing list
> > ><>
> > >
> >
> > _______________________________________________
> > nfsv4 mailing list
> ><>
> >
> >
> > _______________________________________________
> > nfsv4 mailing list
> >
> >