IETF Logo Mail Archive

Re: [nfsv4] NFS over TLS for laptops

Benjamin Kaduk <kaduk@mit.edu> Fri, 01 January 2021 05:58 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23FA03A0DAD for <nfsv4@ietfa.amsl.com>; Thu, 31 Dec 2020 21:58:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mQAm2SxdYbhF for <nfsv4@ietfa.amsl.com>; Thu, 31 Dec 2020 21:58:40 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 830F83A0DAC for <nfsv4@ietf.org>; Thu, 31 Dec 2020 21:58:40 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 1015wXKH019743 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 1 Jan 2021 00:58:37 -0500
Date: Thu, 31 Dec 2020 21:58:32 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Rick Macklem <rmacklem@uoguelph.ca>
Cc: Chuck Lever <chuck.lever@oracle.com>, "nfsv4@ietf.org" <nfsv4@ietf.org>
Message-ID: <20210101055832.GK93151@kduck.mit.edu>
References: <YQXPR0101MB09680BC1A27265F81C5B5671DDC40@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <DEBCFB38-9A1A-43BB-A8DF-0C64792AF30F@oracle.com> <YQXPR0101MB09689564C0543291E25FB274DDC20@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YQXPR0101MB09687759005C97725CFC1AFCDDC10@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <13B0E10F-0E40-47AC-A6E3-495DF578DCAB@oracle.com> <YQXPR0101MB0968D1AB5DC7A55DE4E5F404DDDE0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <1113F47A-BDA1-4C34-95B4-1EB8076BA071@oracle.com> <20201229190707.GB89068@kduck.mit.edu> <0D8595B7-4636-4E6A-A5C1-E0FE85D820D0@oracle.com> <YQXPR0101MB096833395FEE6E63590BE7B5DDD60@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <YQXPR0101MB096833395FEE6E63590BE7B5DDD60@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/W5TWffEsCvQDppFeyrMn_Bh7kyU>
Subject: Re: [nfsv4] NFS over TLS for laptops
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jan 2021 05:58:42 -0000

On Thu, Dec 31, 2020 at 04:53:04PM +0000, Rick Macklem wrote:
> Chuck Lever wrote:
> > Ben Kaduk wrote:
> >>
> >> I suspect that we can find a compromise position, yes.
> >> The certificate still authenticates the client (not the user), and the
> >> client uses AUTH_SYS to claim what user is performing operations.  But the
> >> server uses the client's authenticated identity to restrict, by policy,
> >> what user identities the client is allowed to claim via AUTH_SYS.  In the
> >> degenerate case there is an otherName in the certificate that corresponds
> >> to a single user and the client can only claim that one user, which looks
> >> very similar to just authenticating the user, but we can say that the
> >> relevant policy logic is located in the server as part of its internal
> >> implementation choices.
> >
> >An NFS client might send legitimate operations as UID 0 too
> >(e.g., lease management). Those cannot be rejected. Perhaps
> >we need to specify that the client has to perform _all_
> >operations as the squashed user.
> Yes. I agree with this.
> My current implementation simply ignores the AUTH_SYS RPC
> credential when TLS squashing is enabled.

Hmm, that may not be as robust as you want, since a certificate is allowed
to have more than one SAN of any given type.  I think that if we do write
up something like this we should be sure to define behavior when multiple
names are present in the certificate.

-Ben

v2.23.0 | Report a Bug | By Email