-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for restricting client certificates trusted by server #21
Comments
We have in the past discussed how to provide a particular narrow trust chain for kernel TLS consumers. This is particularly interesting if the server's certificate is self-signed.
I can discuss this feature request with our team.
So we would combine /etc/netgroup-style checking with certificate checking? Can you elaborate?
This starts to make the export administrative interface quite unwieldy. I would need to see use cases to understand exactly what is required. |
That sounds good.
I don't know enough about keyrings to comment on this.
As an example, I use something like this for SMTP among the computers in my own domain:
I could imagine some organisations wanting to authenticate NFS clients in a similar way. But I'm not a real sysadmin and I might have just invented something weird. :-)
Right, the problem is I don't think there's an established standard for how to validate client certificates. (Aside from: run your own CA and only trust certificates from that one.) So I don't know what options are actually needed! |
The Linux NFS server has /etc/exports settings that allow filtering client access via IP address. That is a separate security policy mechanism that could be used in combination with certificate verification to achieve similar results, I would think. |
I don't think that's particularly useful. If access to the network is strictly controlled then it could work but TLS is not really needed. If access to the network is not so well controlled, an attacker could attach their own device with an arbitrary client certificate for NFS, which would be accepted. |
Enable administrators to provide a trust store that is specifically for certificate verification during kernel-driven handshakes. This makes using self-signed certificates just for SunRPC more secure, for example. Partially addresses issue oracle#21. Suggested-by: Olga Kornievskaia <kolga@netapp.com> Suggested-by: Ben Hutchings <benh@debian.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Enable administrators to provide a trust store that is specifically for certificate verification during kernel-driven handshakes. This makes using self-signed certificates just for SunRPC more secure, for example. Partially addresses issue #21. Suggested-by: Olga Kornievskaia <kolga@netapp.com> Suggested-by: Ben Hutchings <benh@debian.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
That's arguable. For instance, an RPC-with-TLS certificate can contain instructions to treat all RPCs from a particular client as coming from a specific AUTH_SYS user. TLS encryption can still protect against snooping by other clients, even if the server trusts those clients.
I thought that was what the chain of trust was for? The server's client certificate verification process would prevent access by a client with an unrecognized signer, even if that client has an allowed IP address. |
Option 1 as general restriction would be great as a first step. In heterogeneous networks it is more or less possible to "steal" an IP and get a Let's Encrypt certificate, so restricting the CA-certificates to one keyring (or one location, or to an array of serials etc) would be great! |
Currently it appears that when the server is configured with "xprtsec=mtls", any client certificate issued by any CA in the system trust store will be accepted. I would guess that this is not what administrators would want from client authentication.
I would expect to be able to configure a server to trust only client certificates issued by a specific CA (perhaps an internal CA) and/or client certificates for hostnames with a specific domain. But it possibly makes sense to allow specifying required values for all of the standard subject fields.
The text was updated successfully, but these errors were encountered: