Re: TLS certificates for NFS-over-TLS floating client

From: Rick Macklem <rmacklem_at_uoguelph.ca>
Date: Thu, 26 Mar 2020 14:59:23 +0000
Sorry about the top post, but I thought of a few things to add to my
last post to this thread...
1 - I agree that for systems like laptops, the line between machine and
     user authentication is fuzzy.
2 - I do like your idea of having an exports(5) option that specifies a CN
      that identifies a user and then does all RPCs as that user.
      I'm not sure if an issuer needs to be specified (or even can be specified),
      since the CAfile argument to the rpctlssd daemon determines if a certificate
      from a particular CA will verify and the verification must happen before the
      exports(5) export options can be applied. (Basically, certificate verification
      happens via a NULL RPC that does a STARTTLS when a TCP connection to
      the server is first established.)
3 - I'll post to nfsv4_at_ietf.org to see what others think of this, since it would not
      require any changes to the draft/RFC.
4 - Although it does require a revision to the export_args structure, I think it is
     worth doing even if others don't implement it.

Again, thanks for your comments, rick

________________________________________
From: owner-freebsd-current_at_freebsd.org <owner-freebsd-current_at_freebsd.org> on behalf of Rick Macklem <rmacklem_at_uoguelph.ca>
Sent: Thursday, March 26, 2020 10:33 AM
To: John-Mark Gurney
Cc: Alexander Leidinger; freebsd-current_at_FreeBSD.org
Subject: Re: TLS certificates for NFS-over-TLS floating client

John-Mark Gurney wrote:
[lots of stuff snipped]
>Rick Macklem wrote:
>> I had originally planned on some "secret" in the certificate (like a CN name
>> that satisfies some regular expression or ???) but others convinced me that
>> that wouldn't provide anything beyond knowing that the certificate was
>> signed by the appropriate CA, so I have not implemented anything.
>
>Yeah, having a "secret" in the CN doesn't make sense, but what does make
>sense is allowing the exports line to specify what the CN should contain
>to be authenticated...
>
>Say as a corp, you issue personal certificates to everyone.  This is
>because you require everyone to sign and/or encrypt their email w/
>S/MIME.  Each cert includes the email address of that person, so you
>could simply do something like:
>/home/alice -tlscert -tlsroot /etc/company.pem -email alice_at_example.com
>
>And anyone who has the certificate w/ alice_at_example.com that was signed
>by the public key in /etc/company.pem would be granted access to the
>export /home/alice.
>
>If it allowed ANY cert signed by the CA specified, then that introduces
>an authentication problem, as now if Malory is a coworker of Alice
>could also access Alice's home directory...
>
>IMO, this is one auth feature that MUST be supported...
The draft does not address user authentication, only machine authentication.
--> ie. The certificate is used to decide if a system can do a mount.
      Users are still identified via user credentials in the RPC message header.
      For AUTH_SYS, that still means <uid,gid,...>.
      Otherwise, you need to use Kerberos (sec=krb5[ip]).
      You could use "tls,sec=krb5" for a mount, but the only advantage that
      might have over "sec=krb5p" is performance, if there is hardware assist
      for TLS or something like that.

>Now that I reread your comments, it sounds like any certificate would be
>allowed in #2 as long as it is valid, and that would only be marginally
>better than verification by IP, and in some ways worse, in that now any
>user could pretend to be any other user, or you have to do something
>crazy like have a CA per user.
The case where I see #2 is useful is where this discussion started some weeks ago.
The example I started with was:
/home -tls -network 192.168.1.0 -mask 255.255.255.0
/home -tlscert

This says that machines on the local lan can mount and do not need to have
certificates, but must use TLS so data is encrypted on the wire.
Mounts from anywhere else (presumably laptops) are allowed so long as they have a
certificate signed by me (as in the site local CA).
I trust these machines enough that I am willing to allow them to use AUTH_SYS,
which is what 99.9...% of NFS mounts do now.
(So, I'd agree that the site local certificate is not a lot better than IP address
 for client machine identity, just that it is an alternative that can be useful.
 Without TLS, a line like "/home" allows anyone to mount /home from anywhere
 and I think you'd agree that few NFS admins. will want to do that. I'm assuming
 no external firewall for this example.)

Now, your suggestion of identifying a user via the CN and then having the
server do all RPCs for the mount as that user is an interesting one.
My concern w.r.t. implementing it would be interoperability.
Put another way, if other servers such as Linux, Netapp,... don't adopt it
(and they won't until there is a draft/RFC specifying it), it would be
FreeBSD server specific and I'd like to avoid that.
There was some discussion w.r.t. user authentication via certificates
during development of the draft, but they decided to defer that work for
now, so they could get something in place for machine authentication first.
(If I understood the discussion on nfsv4_at_ietf.org.)

rick

>I'm wonder if your use of the term secret was the problem, and not the
>idea...  Anything that goes in the client cert is by definition public...
>TLS prior to 1.3 sends the client cert in clear text...  But keying
>based upon the contents of the cert is fine, as that's the point of
>what a cert is..  It's trusting the CA to say that the CN and other
>fields in the cert corresponds to this user, and you can use parts of
>the cert, like the CN to decide which user the public key in the cert
>corresponds to.

--
  John-Mark Gurney                              Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."
_______________________________________________
freebsd-current_at_freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"
Received on Thu Mar 26 2020 - 13:59:51 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:23 UTC