[v2,3/4] exports(5): Describe the xprtsec= export option

Message ID	168009890542.2522.10109556599153238262.stgit@manet.1015granger.net (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-nfs-owner@vger.kernel.org> Subject: [PATCH v2 3/4] exports(5): Describe the xprtsec= export option From: Chuck Lever <cel@kernel.org> To: SteveD@redhat.com Cc: linux-nfs@vger.kernel.org, rick.macklem@gmail.com, kernel-tls-handshake@lists.linux.dev Date: Wed, 29 Mar 2023 10:08:25 -0400 Message-ID: <168009890542.2522.10109556599153238262.stgit@manet.1015granger.net> In-Reply-To: <168009806320.2522.10415374334827613451.stgit@manet.1015granger.net> References: <168009806320.2522.10415374334827613451.stgit@manet.1015granger.net> User-Agent: StGit/1.5 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Precedence: bulk
Series	nfs-utils changes for RPC-with-TLS \| expand [v2,0/4] nfs-utils changes for RPC-with-TLS [v2,1/4] libexports: Fix whitespace damage in support/nfs/exports.c [v2,2/4] exports: Add an xprtsec= export option [v2,3/4] exports(5): Describe the xprtsec= export option [v2,4/4] nfs(5): Document the new "xprtsec=" mount option

Message ID

168009890542.2522.10109556599153238262.stgit@manet.1015granger.net (mailing list archive)

State

New, archived

Headers

Subject: [PATCH v2 3/4] exports(5): Describe the xprtsec= export option
From: Chuck Lever <cel@kernel.org>
To: SteveD@redhat.com
Cc: linux-nfs@vger.kernel.org, rick.macklem@gmail.com,
        kernel-tls-handshake@lists.linux.dev
Date: Wed, 29 Mar 2023 10:08:25 -0400
Message-ID: 
 <168009890542.2522.10109556599153238262.stgit@manet.1015granger.net>
In-Reply-To: 
 <168009806320.2522.10415374334827613451.stgit@manet.1015granger.net>
References: 
 <168009806320.2522.10415374334827613451.stgit@manet.1015granger.net>
User-Agent: StGit/1.5
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Precedence: bulk

Series

nfs-utils changes for RPC-with-TLS | expand

Commit Message

Chuck Lever March 29, 2023, 2:08 p.m. UTC

From: Chuck Lever <chuck.lever@oracle.com>

Cc: Rick Macklem <rick.macklem@gmail.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 utils/exportfs/exports.man |   51 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 50 insertions(+), 1 deletion(-)

diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
index 54b3f8776ea6..83dd6807c570 100644
--- a/utils/exportfs/exports.man
+++ b/utils/exportfs/exports.man
@@ -125,7 +125,55 @@  In that case you may include multiple sec= options, and following options
 will be enforced only for access using flavors listed in the immediately
 preceding sec= option.  The only options that are permitted to vary in
 this way are ro, rw, no_root_squash, root_squash, and all_squash.
+.SS Transport layer security
+The Linux NFS server allows the use of RPC-with-TLS (RFC 9289) to
+protect RPC traffic between itself and its clients.
+Alternately, administrators can secure NFS traffic using a VPN,
+or an ssh tunnel or similar mechanism, in a way that is transparent
+to the server.
 .PP
+To enable the use of RPC-with-TLS, the server's administrator must
+install and configure
+.BR tlshd
+to handle transport layer security handshake requests from the local
+kernel.
+Clients can then choose to use RPC-with-TLS or they may continue
+operating without it.
+.PP
+Administrators may require the use of RPC-with-TLS to protect access
+to individual exports.
+This is particularly useful when using non-cryptographic security
+flavors such as
+.IR sec=sys .
+The
+.I xprtsec=
+option, followed by an unordered colon-delimited list of security policies,
+can restrict access to the export to only clients that have negotiated
+transport-layer security.
+Currently supported transport layer security policies include:
+.TP
+.IR none
+The server permits clients to access the export
+without the use of transport layer security.
+.TP
+.IR tls
+The server permits clients that have negotiated an RPC-with-TLS session
+without peer authentication (confidentiality only) to access the export.
+Clients are not required to offer an x.509 certificate
+when establishing a transport layer security session.
+.TP
+.IR mtls
+The server permits clients that have negotiated an RPC-with-TLS session
+with peer authentication to access the export.
+The server requires clients to offer an x.509 certificate
+when establishing a transport layer security session.
+.PP
+If RPC-with-TLS is configured and enabled and the
+.I xprtsec=
+option is not specified, the default setting for an export is
+.IR xprtsec=none:tls:mtls .
+With this setting, the server permits clients to use any transport
+layer security mechanism or none at all to access the export.
 .SS General Options
 .BR exportfs
 understands the following export options:
@@ -581,7 +629,8 @@  a character class wildcard match.
 .BR netgroup (5),
 .BR mountd (8),
 .BR nfsd (8),
-.BR showmount (8).
+.BR showmount (8),
+.BR tlshd (8).
 .\".SH DIAGNOSTICS
 .\"An error parsing the file is reported using syslogd(8) as level NOTICE from
 .\"a DAEMON whenever

[v2,3/4] exports(5): Describe the xprtsec= export option

Commit Message

Patch