[nfsv4] NFS over TLS for laptops
Rick Macklem <rmacklem@uoguelph.ca> Sun, 13 December 2020 00:02 UTC
Return-Path: <rmacklem@uoguelph.ca>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F215F3A0F06 for <nfsv4@ietfa.amsl.com>; Sat, 12 Dec 2020 16:02:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.901
X-Spam-Level:
X-Spam-Status: No, score=-0.901 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uoguelph.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dFHfHQJEdh3N for <nfsv4@ietfa.amsl.com>; Sat, 12 Dec 2020 16:02:04 -0800 (PST)
Received: from CAN01-TO1-obe.outbound.protection.outlook.com (mail-eopbgr670080.outbound.protection.outlook.com [40.107.67.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54ED63A0F04 for <nfsv4@ietf.org>; Sat, 12 Dec 2020 16:02:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Isu11b3aJDb+Fj6nKNdf6/gGEohcx6Xrec0aCDJFGK59G+FwzLWPeJFS6xk9yIzMt7SpAuGBLTp2z0Hr5iisL1uIyq9ycxTb68Z99+Me/T5ZBz/PoFEnRwsHhpyBMc+vO0Tei8vZUDZAcXIe4cpd8OGLz9iuFZgY7yDj/Yq86W1/UfR76RhgqUmbMujlhYclHpke5dlNAuWLz/YOQzOAPZnLShetse3VbHFAiJhwjEUZ/+jGqvsqpogYqYla+5e6Zttjuk0JXWY7hUx0X3VaGI6n38Bgetpy/w44m9zG9co40Ivugj/aWVJO3NQZMzLJSh5n+Z/CWnNcYCi+nw1img==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lMh25VOZ/XS4SnaIwBw6MJSkf6BB23NmP0aqhyoq6eU=; b=AYZaW4FyCMf5vz3oTNIS2aWjotKSCvdDr8JfgKvYVMOUtq5Qnk54LT8dCe95nvA+Gr7k3fTCmvrzs0lW+gr1deEa2HhY0zEBPsscdFynOF/w+ec6SGC4IzjhuKTdo7TRmG4IFCjTZUr5bXfBmf6LuhZamae99hLKn85eNRaVwodWu+iA6uXg5kfK08hfnlkJB0NaSV1p3zDI2cqbHYR0unCni1qHcQChCid4kjpmGvUccvon96ycZangwb4jdBOtNbBcLZ6eD7ZihRo2kpHifbyI8kjC6NsgujdgYUV4KbHCRgCpPRvIg6m5DUhMvxzJOphFq4+4JSvaqyEB7io9kQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lMh25VOZ/XS4SnaIwBw6MJSkf6BB23NmP0aqhyoq6eU=; b=bXRbj77lSsECRWjc0HtlTKPZY8Aw8s0ParhMUsBzvIoivp2NQp/50AG8urvAgj4GZFGaGnVvRgsLJW2QvlsLUrw+dN3pC4C61T0nOfOfNiwputXdq0FNbvEbxfXciGS5pcERH9ZEDjAPmE6RZgmec4T7lLod30U0ALSJQV0lfHpTrTcb3yPnuOzUcTsISIdq3/i2j3N9DOOaQ+0waJ9oqk9hmFBqsOf6VO6iW9v2d9QjxXDAlkfoc7FMepMIlfVuryPgceGQYniCfxrcwmh15Wvyg/34aiR0rt7+boRifiRF4ZyyW4WxQJI9jCE0U+PLiFGKUx2mmFE9w6cYpg4XXw==
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by YQBPR0101MB1698.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:b::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.18; Sun, 13 Dec 2020 00:02:02 +0000
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::7d6b:aa68:78f4:5d94]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::7d6b:aa68:78f4:5d94%7]) with mapi id 15.20.3654.019; Sun, 13 Dec 2020 00:02:02 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: NFS over TLS for laptops
Thread-Index: AQHW0NppAc3uZqIjgEq2ArIQwELbLg==
Date: Sun, 13 Dec 2020 00:02:02 +0000
Message-ID: <YQXPR0101MB0968F7BF5A6D7E97F39CC739DDC90@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=uoguelph.ca;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 39ae806e-b204-4e9c-de46-08d89efa51f2
x-ms-traffictypediagnostic: YQBPR0101MB1698:
x-microsoft-antispam-prvs: <YQBPR0101MB1698ABD4B3A2A762FB2C17EDDDC80@YQBPR0101MB1698.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yjUJ7PJc+NVspLzBebicLEJfJ87ZDFqQk6Dno91Wt5CBSaqqpotq4Q8Y0ySO9pb9To9Uqea5g8ZfbKtBN6lMdGD224s6IBkw+ExUqbtiNkhoRy0BaXKYbzpI8I5Icu2u9feJ+KOUJebpX9JJRO1Tqz2bvT2cPljeno25Ra7LMSB1Oza0+DXJElfAge9YgxYTgYs+KX2CRQzpwo+wLZyG/q0y6aCCQ2vkWXbALF8Fw648jPbvC6EhOii74IeXY/NrDqJEoWTL4fRY1TNfTzRR+4GJdeFjW/TLkDgMVQtTlIsfGJzixY6nLIUvuvRbvZFH35HRvIkFhLS/tuMxG6piOg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(136003)(366004)(396003)(39850400004)(346002)(376002)(71200400001)(86362001)(66574015)(9686003)(55016002)(6506007)(6916009)(2906002)(52536014)(66946007)(5660300002)(7696005)(186003)(66446008)(66556008)(66476007)(91956017)(64756008)(478600001)(786003)(8676002)(316002)(33656002)(76116006)(83380400001)(8936002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: f7KqK8kynUAcvusc3kMwWtyTe41ikHbcMckwxU73WwjgIqrke0Ry7jxgTQ4VGRFbxHqy9pOjSfxZIWIoqzN9NctoXPO+kRwtoKXdOmZB4M6mv8Tco2LUJ+nSO9sl7k9Z6oVHZAKFS/ZHXzG7r5OY8hTRvo+NXOyXHf1bT9O/h2VKtgaHZqQeQM3z+Xl8Lra/tHwXyh3Y+wUvLHWkn7b4lZ5jHGOuqnfZVqhoxoLHHslK/SEE3+b5wMqK3ovxsMImUJN/PvJvcAPfqBSxyxAkQNt9WxjfvTwrUrmunYnj7oq9q+PweC5NP9+LCL7QsgbCXx6ufwPKwjhy4XNByBCpgyMBB3Gd27wWaVDFCmSJSOwSdEvoCWVguCd3ym1InG67LYgNMs92hQ1+5aReGw1qgOBdjCe9AdA/bCAxTJ5Qfvu7M7S3xhKCttiXa9bjk5BVOot8ksbgvlmqthjENRwucY9i90GIPfySDWkAEFADF3zpV8pWp32ELeI/jypMcrogVxQly5b7PU1Jrdxy049QIsMz7mDP/RA/09mVE47PKEeWEushpcLqiP28HFHp08qR9uhBLD6kYOO9Jo11ZyVXgezEVA1Jd1luO3SCvj6b27HDLmy3LYbtYluGCRzY5KC1UG04NEote8UN1ovElckDTQOYWHH00vm0ENokIVuMVcqJO0gshMppT+nXmcu1+19mVtj9F4/6nJInrnxKACS2wB8SJ82i+WlLptqZWIO5JhWYXi+vfdK59RWHIDu22ad848ODhkNkSNSHFz3k8R0IqJNUpVmOqeqaDNELyrgm+fryeFbXSAup3bZeeWwKR7RDb39RgCaUNyaPxhqXGb8qrtXmSe5xqlcf2TuQN8KRKWKtKCk5UhqbMgvmjrH+ouSG94xcIWdFYVvyBuqAgrNwmdou9DG9mfMHQoeWLDduSW50zkTMdFTxurFo1BcFJcuglg7uHZhTcJ3/ypm9V8vxKS0J6wkeyDRt9qhbU4nYQXQMeBFNU/2JnVQeUcXI0dpFaE4uNFBRzRWW91fGfymG23EB/D4Y5woABYM3TXLpTYo=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 39ae806e-b204-4e9c-de46-08d89efa51f2
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Dec 2020 00:02:02.6209 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PAXXXrphnnh4iDx+Izy4CFmdDDivBMTGrxEubSo1BKhhzod1G7HBBQWtjgUVFugVA9gCJIsDTvjqUoteI69ECA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQBPR0101MB1698
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/qvQ3YXnJcxsMtFZ5EuILctyQ6eg>
Subject: [nfsv4] NFS over TLS for laptops
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Dec 2020 00:02:06 -0000
Hi,
David Noveck emailed me w.r.t talking about this at a future meeting.
This sounds rather scary to me, so I figured I'd post here and then, if
others want me to, I can try to attend a "virtual meeting".
First off, the disclaimer that I am neither a security guy nor TLS guy.
The case I was trying to address was mobile device (aka laptop)
mounts to an NFS server using TLS. These devices are assumed to
have two properties:
- Used by a single user.
- Connecting to the Internet from anywhere (ie. no fixed IP nor
DNS name).
Typical filtering at the NFS server via client IP address obviously cannot work, so
what can be done?
1 - The NFS server admin. creates an x509v3 certificate via a site
local CA for the laptop, which is stored on the laptop.
--> When the laptop mounts the server via TLS, the NFS server
verifies this certificate acquired during the TLS handshake
from the laptop.
Ok, so at least the server knows that the laptop has a certificate created
by the server admin. How can this be compromised?
--> The trivial case would be the laptop being stolen or similar.
If the CA admin. creates the private key for the laptop's certificate
with a passphrase (something like the "-aes256" option on the
openssl command used to create it), then the user will need to
enter the correct passphrase before the client side daemon that
does the TLS handshake can run.
No daemon-->no handshake-->no TLS.
--> An attacker could still install something like a "trojan horse", that
would pretend to be the daemon and capture the passphrase
when the laptop user types it in.
Now, for the part that might be considered a violation of the "soon
to be an RFC" draft.
2 - When the site local CA admin creates the certificate for the laptop,
put an otherName component in subjectAltName that looks like:
1.3.6.1.4.1.2238.1.1;UTF8:rmacklem@uoguelph.ca
Now. if the daemon that does the TLS handshake on the NFS server
is started with the "--certuser" option, it will take the
rmacklem@uoguelph.ca from the client's certificate and translate
that to a POSIX <uid, gidlist> credential on the serve in a manner
analogous to what the mapper daemon (think rpc.imapd) and gssd
does for a Kerberos user principal.
--> Strip off @uoguelph.ca as the local domain and then get the
POSIX credentials for "rmacklem" from the user/group databases.
Now, all RPCs done on this TLS/TCP connection use the above POSIX
credentials instead of the contents of any AUTH_SYS credential in the
RPC request header.
--> FreeBSD has for a long time had a "-mapall" export option which
is similar to root squash, but happens for all uids. However this
doesn't work for this case, since exports are based on client IP
address.
This is similar to that, but using the information in the client's
machine certificate to decide what to squash the AUTH_SYS
credentials to.
This limits the damage done if a laptop is compromised to that
which can be done by that user (aka rmacklem) against the NFS server.
Now, how does this compare with "sec=krb5" for this laptop case?
--> Well, if the device is compromised such that a "trojan horse" can capture
the latop key's passphrase can the same be done on it for login/kinit
to capture the Kerberos password for the user principal the laptop's
user uses?
I think so.
--> If the user principal's password is compromised, then access to the
server as that user is acquired.
Also, this would require the KDC be accessible from "the world", which
sounds pretty scary to me.
This seems comparable to the mobile device's certificate being compromised,
which allows NFS server access as the user in the otherName component of
subjectAltName.
Seems like the level of risk is about the same?
For Kerberos, the user's password can be changed to stop the compromised
access. For the certificate being compromised, the site local CA admin. can
put the certificate in the CRL for the site to stop the compromised access.
Anyhow, I am about as far from a security guy as you can get, so I may be way
off w,r.t the above.
Also, the NFS over TLS code in FreeBSD is still considered "test" (it uses
OpenSSL3, which is alpha test at this time), so I can easily change things
if others have a better idea.
I will document this as "non-RFC conformant" if that appears to be the case.
rick
- [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops David Noveck
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops Chuck Lever
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops Chuck Lever
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops Chuck Lever
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops Benjamin Kaduk
- Re: [nfsv4] NFS over TLS for laptops Chuck Lever
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops Chuck Lever
- Re: [nfsv4] NFS over TLS for laptops Benjamin Kaduk
- Re: [nfsv4] NFS over TLS for laptops Benjamin Kaduk
- Re: [nfsv4] NFS over TLS for laptops Chuck Lever
- Re: [nfsv4] NFS over TLS for laptops Benjamin Kaduk
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops Chuck Lever
- Re: [nfsv4] NFS over TLS for laptops Craig Everhart
- Re: [nfsv4] NFS over TLS for laptops Chuck Lever
- Re: [nfsv4] NFS over TLS for laptops Craig Everhart
- Re: [nfsv4] NFS over TLS for laptops Benjamin Kaduk
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops David Noveck
- Re: [nfsv4] NFS over TLS for laptops Magnus Westerlund
- Re: [nfsv4] NFS over TLS for laptops Chuck Lever