Re: TLS certificates for NFS-over-TLS floating client

From: Hiroki Sato <hrs_at_FreeBSD.org>
Date: Wed, 04 Mar 2020 13:35:15 +0900 (JST)
Rick Macklem <rmacklem_at_uoguelph.ca> wrote
  in <YTBPR01MB3374EFF14948CB8FEA1B5CCDDDE50_at_YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>:

rm> Hi,
rm>
rm> I am slowly trying to understand TLS certificates and am trying to figure
rm> out how to do the following:
rm> -> For an /etc/exports file with...
rm> /home -tls -network 192.168.1.0 -mask 255.255.255.0
rm> /home -tlscert
rm>
rm> This syntax isn't implemented yet, but the thinking is that clients on the
rm> 192.168.1 subnet would use TLS, but would not require a certificate.
rm> For access from anywhere else, the client(s) would be required to have a
rm> certificate.
rm>
rm> A typical client mounting from outside of the subnet might be my laptop,
rm> which is using wifi and has no fixed IP/DNS name.
rm> --> How do you create a certificate that the laptop can use, which the NFS
rm>        server can trust enough to allow the mount?
rm> My thinking is that a "secret" value can be put in the certificate that the NFS
rm> server can check for.

 I do not think it is a good idea to use a certificate with an
 embedded secret for authentication and/or authorization.

 In the case that the client offers a certificate upon establishing a
 TLS connection for authentication purpose, the authenticity will be
 checked on the server usually by using the CA certificate which was
 used to issue the client certificate.  The CA cert must be put to
 somewhere the NFS server can read.

 The CA cert is secret.  So if the NFS server can check the client
 certificate by the CA certificate, it means the NFS server can
 trust the client.  I think no additional information is required.

 Authorization such as which mount point can be mounted by using the
 client cert can be implemented by using the CN field or other X.509
 attributes, of course.  It can be just a clear text.

 I think this is one of the most reliable and straightforward ways
 because in most cases both NFS servers and the clients are under the
 sysadmin's control.

rm> Now, I'm not sure, but I don't think this certificate can be created via
rm> a trust authority such that it would "verify". However, the server can
rm> look for the "secret" in the certificate and allow the mount based on that.

 In the way described above, to use TLS client authentication, the NFS
 server admin has to have a certificate which allows to sign another
 certificate.  This means that the admin must be a CA or trusted
 authority.

 In practice, one can generate a self-signed certificate by using
 openssl(1) and use it as its CA certificate.  He can issue
 certificates signed by it for the NFS clients, and put his CA
 certificate to somewhere the NFS server can read.

rm> Also, even if the NFS client/server have fixed IP addresses with well known
rm> DNS names, it isn't obvious to me how signed certificates can be acquired
rm> for them?
rm> (Lets Encrypt expects the Acme protocol to work and that seems to be
rm>  web site/http specific?)

 TLS certificates do not always have (or do not need to have) a domain
 name as an attribute.  Data in attributes are restricted depending on
 the purpose, so certificates issued by Let's Encrypt can have only
 domain names (CN or Subject Alternative Name), for example.  An
 example which is not supported by Let's Encrypt is a certificate for
 S/MIME email encryption which has an email address.

-- Hiroki

Received on Wed Mar 04 2020 - 03:36:35 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:23 UTC