Re: [nfsv4] NFS over TLS for floating clients

[Rick Macklem <rmacklem@uoguelph.ca>]

Chuck Lever wrote:
> On Mar 29, 2020, at 10:16 PM, Rick Macklem <rmacklem@uoguelph.ca> wrote:
>>
>> A case I've coded up that may or may not be allowed by the current draft is:
>> - Optionally, if the client presents a certificate to the server that verifies and
>>   where the CN is of the form "user@dns_domain", then this "user" is translated
>>   to a set of credentials used for all RPCs on the TCP connection instead of
>>   what is   provided in the RPC request header. I put "user" in quotes because
>>   I think you can argue that this is the identity of the client host and the server
>>   chooses to assign credentials to that client identity.
>>   (Basically, I'd argue that, for laptops, the line between "user" and "host" is fuzzy
>>    and normally one and the same.)
>>
>> As for the current draft, it says:
>> (end of sec. 4.2)
>> In either of these modes, RPC user authentication is not affected by
>>   the use of transport layer security.  When a client presents a TLS
>>   peer identity to an RPC server, the protocol extension described in
>>   the current document provides no way for the server to know whether
>>   that identity represents one RPC user on that client, or is shared
>>   amongst many RPC users.
>>
>> True, although there is the case where there is only one user on the client
>> and that is known by the server administrator.
>>
>> Therefore, a server implementation must not
>>   utilize the remote TLS peer identity for RPC user authentication.
>>
>> I would argue that this is a server implementation choice and does not
>> affect the protocol.
>
>I don't fully understand this statement, but the protocol described in
>draft-ietf-nfsv4-rpc-tls forces this choice to be "does not utilize
>the TLS peer identity for RPC user authentication."
Btw, when I said "does not affect the protocol" I was referring to what goes
on the wire. The only thing that changes in the content of the client's certificate,
which is not covered by this document (except for where the DNS name goes).
--> Actually I am surprised that Ben and others accept putting the DNS name in
      the CN field of subjectName and aren't insisting it be in the DNS field
      of the subjectAltName. (I, personally, don't care.)

>IMO we cannot
>relax this requirement in this protocol, though it can be revisited if
>RPC is made to handle user authentication with certificates: I will
>be discussing that possibility during our interim meetings in April.
>
As you'll see below, I am not talking about user authentication, I am
referring to what credentials are being used for an RPC, which I believe
is a server configuration issue.
FreeBSD NFS server have had a "-mapall" option which says "use these
credentials for all RPCs for a very long time (since the 1980s, I think?).

>A connection/TLS session uses exactly one pair of certificates for its
>entire lifetime: a server cert and a client cert (let's set aside the
>"no client cert" case for a moment).
>
>After the TLS session has been established, in general a client is free
>to send multiple RPC user identities on that connection. Users have no
>association with the certificate the client used to establish that
>session.
Yes, I understand all of the above.

>
>The certificates here are used to establish secure communication between
>two hosts. They are not intended to be used for authenticating RPC user
>identities, period.
Yes, I understand that you do not want to address user authentication, which
the draft clearly defines as the credentials in the RPC request header.

Another way to put what I am doing is:
- The server derives "machine credentials" from the client's certificate.
  The server then chooses via server configuration what RPCs are performed
  using these machine credentials instead of the user credentials derived from
  the RPC request header.

I know that Sun RPC has never had the concept of machine credentials and
that is one reason why it has not been a great fit for NFSv4, since NFSv4 does
use machine credentials.
- The workaround has been for the NFSv4 server to define the user credentials
   used for the first ExchangeID (SetClientID) operation as the machine credentials
   that must be used.
   For AUTH_SYS, this is typically the infamous uid == 0.
   For RPCSEC_GSS (Kerberos mechanism), it has typically required:
   - host based principal being created on the KDC.
   - keytab entry for this principal being created.
   - this keytab entry being copied to the client via some secure method.
(I won't bother to mention what credentials actually get used for callbacks.
 I'll admit I don't even understand how to do callback user credentials via
 RPCSEC_GSS. I think most just use AUTH_SYS with uid == 0 and clients mostly
 ignore the RPC request credentials for callbacks?)

It might make sense to look at using client certificates to create machine credentials
in the future?

I am fine with this not being allowed by this spec. I will simply document that.
However, you could state:
Creation of machine credentials from peer certificates is out of the scope of
this document.

>We do not want to alter RPC user authentication at this time. If using
>a certificate to identify an RPC user is something we _do_ want to do,
>and we most likely do want to allow it eventually, then that will
>require a different set of changes to the RPC protocol, and not just at
>the transport layer.
I have no idea what you are considering, but if it is along the lines of
clients providing separate X509 certificates for each user,
I think that would require:
- generation of certificates for every user
- copying these certificates into a database on each client in some secure
  manner.
  - You almost have to generate a separate certificate for each user for each
     client (ie. #clients * #users).
--> Too much administrative overhead, in my opinion.
It is easier (and a better fit, imho) to just use Kerberos for this case and it
is already implemented and works.

However, I do think that a certificate is a good fit for machine credentials,
which is not a good fit for Kerberos (the above exercise of host based principal...).
Having a way for clients to do a Kerberos NFSv4 mount without the host based
principal in a keytab on the client, would make Kerberized NFSv4 easier, I think?

>> (in sec. 7.3)
>> In light of the above, it is RECOMMENDED that when AUTH_SYS is used,
>>   every RPC client should present host authentication material to RPC
>>   servers to prove that the client is a known one.  The server can then
>>   determine whether the UIDs and GIDs in AUTH_SYS requests from that
>>   client can be accepted.
>>
>> I would argue this is what the above case does.
>>
>> The use of TLS does not enable RPC clients to detect compromise that
>>   leads to the impersonation of RPC users.  Also, there continues to be
>>   a requirement that the mapping of 32-bit user and group ID values to
>>   user identities is the same on both the RPC client and server.
>>
>> Doing the above solves/avoids this problem.
>>
>> I do feel the above case can be useful (optionally, not always) and I would
>> appreciate comments w.r.t. it.
>> If others think it is a reasonable approach, it would be nice if the draft allowed
>> it, but I can leave it in the FreeBSD code, noting it is "non-RFC conformant".
>
>IMO you should wait until the RPC protocol has a purpose-built mechanism
>for user authentication via certificates, then implement a client that
>presents the same certificate to establish a TLS session as it does to
>identify its only user.
As above, I'm not convinced this is practical.

>However, you can probably make your current proposed implementation a
>little more future proof:
>
>An NFS client should use AUTH_NONE for your use case, since the NFS
>server ignores the client-provided RPC user identities. Maybe the server
>should enforce the use of AUTH_NONE. That would possibly navigate around
>the restriction stated in rpc-tls that the server cannot use the client's
>TLS identity to make RPC user-specific authentication and authorization
>decisions.
I don't believe extant NFSv4 clients can be configured to use AUTH_NONE
for all RPCs. What I am doing should work with an extant NFSv4 client once
it has RPC-over-TLS support (I'm assuming client's will consider the X509
certificate is an opaque blob that is only used for the TLS handshake).

>Add the following per-export controls on your NFS server implementation:
>
>- A control requiring a TLS connection to access the shared filesystem.
Yes, this exists in my implementation as the export option "-tls".

>- A control requiring the client to present a certificate to establish
>a TLS session (ie, the server should prevent TLS with anonymous clients).
Yes, this exists in my implementation as the export option "-tlscert".

>- A control that enables mapping between the client's TLS identity to a
>particular user identity that already exists on your server. The mapping
>should happen via NFSv4 id-mapping. Then the server can map both user-
>specific or client certificates to particular local user identities.
As above, I do not think user specific certificates is practical.
(Of course, feel free to prove me wrong;-)

>
>It's significantly more secure if the server is pre-configured with
>known user/client identities. Then, if the server does not recognize a
>client's certificate, it rejects the attempt to establish a TLS
>session.
I also have the "-h" option on the server side TLS handshake daemon,
which states that the client's certificate must have a DNS name that
matches the reverse DNS name for the client's IP address.
--> This is on the daemon and not in exports, since for this case,
      the IP address presented by the client is not trusted and, as such,
      the exports file cannot be applied to it until it has passed this
      requirement. (With "-h" it follows RFC 6125 style verification, but
      for on the server for a client certificate and not the other way around.)

rick

--
Chuck Lever