IETF Logo Mail Archive

Re: [nfsv4] NFS over TLS for laptops

Craig Everhart <cfeverhart@gmail.com> Thu, 31 December 2020 18:17 UTC

Return-Path: <cfeverhart@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAF873A0E5D for <nfsv4@ietfa.amsl.com>; Thu, 31 Dec 2020 10:17:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kgoPWJmIxnFV for <nfsv4@ietfa.amsl.com>; Thu, 31 Dec 2020 10:17:55 -0800 (PST)
Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A7E13A0E4A for <nfsv4@ietf.org>; Thu, 31 Dec 2020 10:17:55 -0800 (PST)
Received: by mail-qk1-x72b.google.com with SMTP id z11so16906994qkj.7 for <nfsv4@ietf.org>; Thu, 31 Dec 2020 10:17:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=hkw+id8kaztvy3RY+TpcydgdbrJfm8f2xDRADid/QjU=; b=GmvaYkGdfM01+ZVroNXR3uLQ/DOJwP/C8EW1e31NTJnqrroWg7VnHwZwMW5vyznOFf fOEohAzkCp5VMfvHAGhZhGUoJ+haKeRjbONtL9g113tWtr4heX0dDwiBlqbGIWTJ30mQ Nq6JIjT/VU9s8d3XGK7CnJGeIDDacZIHRFglPh336lccUpaL1Q0iSJ2yQxPx2aPDh/LQ ipQSpfdQUKcCndKM8ffFkOQ9xzxGxuwVtuZiVyJDmq7vxYr3PjFgqrkuSpD/+Wt0+F/+ O1R+jn2HcRdUHTUoLyb33Klgtx9yqjPTh7A0qO1k1Ro5+xYeXitcJMgAIdRPyWunmLvC 087g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=hkw+id8kaztvy3RY+TpcydgdbrJfm8f2xDRADid/QjU=; b=j5GwlHax+NwRuI/f88HgXVX8AI/tnyJmhLkSfQjE+xDDG/gME7WGTGBUv+sb/ue9J+ HtcU9y7mBUwD4bW3q+gjWm5IyaZ6Suil0s5osiRYbA2pybptpfOuE8TJD8SzGeoe8Gvm d455pVxQrva4Il84mDKj2Hp9apM8yYuz58Dv9w8nm+NYCFDEhskAhxJF2EW0qRBVRFo0 lKXD7dFQufwXF0gqFj07o9ov8qUdqCLcghd+H6YnolYJv1WASufqcZlXcrfR4klQHrwN 9vI7H8557p6JGOIo2GcOOKjd3vR+WbXMUCKC2T1tWFIJUCkF6PhuWPcQFDm24J34+9ty ytdQ==
X-Gm-Message-State: AOAM532c2hKRm8raY4A9lKYpm9URZuhnlkDwm/SRpZXffrDBmmMO5vu9 lYkdyJzcALYMCuH7QhsO+8Q=
X-Google-Smtp-Source: ABdhPJyTB2rItJIfage3ziTmKoLxfvtNACfFD4zG1MQIkj9EeRDOwSe+I8cmNM4+IQGLsAQHuiOMrg==
X-Received: by 2002:a05:620a:1264:: with SMTP id b4mr60012906qkl.187.1609438674085; Thu, 31 Dec 2020 10:17:54 -0800 (PST)
Received: from [192.168.1.201] (pool-74-109-196-138.pitbpa.fios.verizon.net. [74.109.196.138]) by smtp.gmail.com with ESMTPSA id s8sm28524196qtw.61.2020.12.31.10.17.53 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 31 Dec 2020 10:17:53 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Craig Everhart <cfeverhart@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Thu, 31 Dec 2020 13:17:52 -0500
Message-Id: <19476F5C-D194-419F-B67E-372A86CF8B35@gmail.com>
References: <628F3934-DF68-4AB2-914D-44E93F9CC31A@oracle.com>
Cc: Rick Macklem <rmacklem@uoguelph.ca>, Benjamin Kaduk <kaduk@mit.edu>, nfsv4@ietf.org
In-Reply-To: <628F3934-DF68-4AB2-914D-44E93F9CC31A@oracle.com>
To: Chuck Lever <chuck.lever@oracle.com>
X-Mailer: iPhone Mail (18B92)
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/jrCcSYcwri1UVqJ7LAHdNqkKhdU>
Subject: Re: [nfsv4] NFS over TLS for laptops
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Dec 2020 18:18:03 -0000

Thanks, Chuck.  So—an authentication policy to interpret AUTH_SYS, for any UID/GID as the connection-wide identity negotiated over TLS.

Thanks,
Craig


> On Dec 31, 2020, at 1:06 PM, Chuck Lever <chuck.lever@oracle.com> wrote:
> 
> 
> 
>> On Dec 31, 2020, at 12:37 PM, Craig Everhart <cfeverhart@gmail.com> wrote:
>> 
>> Am I the only clueless one who doesn’t understand what “TLS squashing” is or means?  If so I’ll go back to background and try to trawl old emails.  Otherwise, perhaps you could enlighten.
> 
> The original term was "TLS identity squashing" which I coined earlier
> in this thread. It has come to mean that the NFS server has a security
> policy that squashes AUTH_SYS user identities to a single UID, based
> on the client's TLS identity (x.509 certificate or pre-shared key).
> 
> 
> --
> Chuck Lever
> 
> 
>

v2.23.0 | Report a Bug | By Email