Re: TLS certificates for NFS-over-TLS floating client

From: John-Mark Gurney <jmg_at_funkthat.com>
Date: Fri, 27 Mar 2020 23:53:31 -0700
Rick Macklem wrote this message on Thu, Mar 26, 2020 at 14:33 +0000:
> John-Mark Gurney wrote:
> [lots of stuff snipped]
> >Rick Macklem wrote:
> >> I had originally planned on some "secret" in the certificate (like a CN name
> >> that satisfies some regular expression or ???) but others convinced me that
> >> that wouldn't provide anything beyond knowing that the certificate was
> >> signed by the appropriate CA, so I have not implemented anything.
> >
> >Yeah, having a "secret" in the CN doesn't make sense, but what does make
> >sense is allowing the exports line to specify what the CN should contain
> >to be authenticated...
> >
> >Say as a corp, you issue personal certificates to everyone.  This is
> >because you require everyone to sign and/or encrypt their email w/
> >S/MIME.  Each cert includes the email address of that person, so you
> >could simply do something like:
> >/home/alice -tlscert -tlsroot /etc/company.pem -email alice_at_example.com
> >
> >And anyone who has the certificate w/ alice_at_example.com that was signed
> >by the public key in /etc/company.pem would be granted access to the
> >export /home/alice.
> >
> >If it allowed ANY cert signed by the CA specified, then that introduces
> >an authentication problem, as now if Malory is a coworker of Alice
> >could also access Alice's home directory...
> >
> >IMO, this is one auth feature that MUST be supported...
> The draft does not address user authentication, only machine authentication.
> --> ie. The certificate is used to decide if a system can do a mount.
>       Users are still identified via user credentials in the RPC message header.
>       For AUTH_SYS, that still means <uid,gid,...>.
>       Otherwise, you need to use Kerberos (sec=krb5[ip]).
>       You could use "tls,sec=krb5" for a mount, but the only advantage that
>       might have over "sec=krb5p" is performance, if there is hardware assist
>       for TLS or something like that.
> 
> >Now that I reread your comments, it sounds like any certificate would be
> >allowed in #2 as long as it is valid, and that would only be marginally
> >better than verification by IP, and in some ways worse, in that now any
> >user could pretend to be any other user, or you have to do something
> >crazy like have a CA per user.
> The case where I see #2 is useful is where this discussion started some weeks ago.
> The example I started with was:
> /home -tls -network 192.168.1.0 -mask 255.255.255.0
> /home -tlscert
> 
> This says that machines on the local lan can mount and do not need to have
> certificates, but must use TLS so data is encrypted on the wire.
> Mounts from anywhere else (presumably laptops) are allowed so long as they have a
> certificate signed by me (as in the site local CA).
> I trust these machines enough that I am willing to allow them to use AUTH_SYS,
> which is what 99.9...% of NFS mounts do now.
> (So, I'd agree that the site local certificate is not a lot better than IP address
>  for client machine identity, just that it is an alternative that can be useful.
>  Without TLS, a line like "/home" allows anyone to mount /home from anywhere
>  and I think you'd agree that few NFS admins. will want to do that. I'm assuming
>  no external firewall for this example.)
> 
> Now, your suggestion of identifying a user via the CN and then having the
> server do all RPCs for the mount as that user is an interesting one.
> My concern w.r.t. implementing it would be interoperability.
> Put another way, if other servers such as Linux, Netapp,... don't adopt it
> (and they won't until there is a draft/RFC specifying it), it would be
> FreeBSD server specific and I'd like to avoid that.
> There was some discussion w.r.t. user authentication via certificates
> during development of the draft, but they decided to defer that work for
> now, so they could get something in place for machine authentication first.
> (If I understood the discussion on nfsv4_at_ietf.org.)

There's a fine line between machine and user authentication when you can
add -mapall=someuser.  :)

Yes, a certificate may be used to identify a machine, but if any machine
can be identified by any cert as it appears that #2 is proposed to do, then
you're not actually identifying a machine, you're identifying group of
machines...  Though per the draft, this is explicitly allowed.

It'd be nice to be able to identify particular machines though, and be
able to set the options based upon that..

> >I'm wonder if your use of the term secret was the problem, and not the
> >idea...  Anything that goes in the client cert is by definition public...
> >TLS prior to 1.3 sends the client cert in clear text...  But keying
> >based upon the contents of the cert is fine, as that's the point of
> >what a cert is..  It's trusting the CA to say that the CN and other
> >fields in the cert corresponds to this user, and you can use parts of
> >the cert, like the CN to decide which user the public key in the cert
> >corresponds to.

Rick Macklem wrote this message on Thu, Mar 26, 2020 at 14:59 +0000:
> Sorry about the top post, but I thought of a few things to add to my
> last post to this thread...
> 1 - I agree that for systems like laptops, the line between machine and
>      user authentication is fuzzy.

yep, exactly.  IMO, laptops are more important for this work, and where
you want to identify per machine at a finer grain level than server
machines...

> 2 - I do like your idea of having an exports(5) option that specifies a CN
>       that identifies a user and then does all RPCs as that user.
>       I'm not sure if an issuer needs to be specified (or even can be specified),
>       since the CAfile argument to the rpctlssd daemon determines if a certificate
>       from a particular CA will verify and the verification must happen before the
>       exports(5) export options can be applied. (Basically, certificate verification
>       happens via a NULL RPC that does a STARTTLS when a TCP connection to
>       the server is first established.)

Yeah, this will need some work, but IMO is fine as a future
improvement...

Yeah, this could be a bit tricky from a code perspective.. I don't know
how well most SSL libraries are being able to auth client certs via
different roots after the fact...  One option, but maybe not a great
option would be to verify the cert after the connection is established..

You could extract the cert identify the candidate export lines, and
then attempt a cert verification w/ a specified root if a default one
isn't specified...  Not exactly clean, but as long as the client can't
proceed without this check, shouldn't be a major problem...

> 3 - I'll post to nfsv4_at_ietf.org to see what others think of this, since it would not
>       require any changes to the draft/RFC.
> 4 - Although it does require a revision to the export_args structure, I think it is
>      worth doing even if others don't implement it.

Thanks.  Let me know if you'd like code reviews as well...

> Again, thanks for your comments, rick

And thanks for doing the work!

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."
Received on Sat Mar 28 2020 - 05:54:02 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:23 UTC