diff options
author | Rick Macklem <rmacklem@FreeBSD.org> | 2020-11-20 22:14:51 +0000 |
---|---|---|
committer | Rick Macklem <rmacklem@FreeBSD.org> | 2020-11-20 22:14:51 +0000 |
commit | 9acc400b6e7225c6e43a3b2c6cc066f978f96f39 (patch) | |
tree | 76e20ac749eb69b5d7471dbabfd96614f6242e26 /usr.sbin/mountd | |
parent | e75f0f2b4826b16aadd2d8fc52c94bf6d4c74d1e (diff) | |
download | src-9acc400b6e7225c6e43a3b2c6cc066f978f96f39.tar.gz src-9acc400b6e7225c6e43a3b2c6cc066f978f96f39.zip |
Notes
Diffstat (limited to 'usr.sbin/mountd')
-rw-r--r-- | usr.sbin/mountd/exports.5 | 62 |
1 files changed, 58 insertions, 4 deletions
diff --git a/usr.sbin/mountd/exports.5 b/usr.sbin/mountd/exports.5 index 0a978e791c7d..bba10ddc7be1 100644 --- a/usr.sbin/mountd/exports.5 +++ b/usr.sbin/mountd/exports.5 @@ -28,7 +28,7 @@ .\" @(#)exports.5 8.3 (Berkeley) 3/29/95 .\" $FreeBSD$ .\" -.Dd February 11, 2019 +.Dd November 20, 2020 .Dt EXPORTS 5 .Os .Sh NAME @@ -117,9 +117,13 @@ exported to the host set. The option flags specify whether the file system is exported read-only or read-write and how the client UID is mapped to user credentials on the server. -For the NFSv4 tree root, the only option that can be specified in this -section is -.Fl sec . +For the NFSv4 tree root, the only options that can be specified in this +section are ones related to security: +.Fl sec , +.Fl tls , +.Fl tlscert +and +.Fl tlscertuser . .Pp Export options are specified as follows: .Pp @@ -241,6 +245,48 @@ or .Fl webnfs flags. .Pp +The +.Fl tls , +.Fl tlscert +and +.Fl tlscertuser +export options are used to require the client to use TLS for the mount(s) +per RFC NNNN. +For NFS mounts using TLS to work, +.Xr rpc.tlsservd 8 +must be running on the server. +.Bd -filled -offset indent +.Fl tls +requires that the client use TLS. +.br +.Fl tlscert +requires that the client use TLS and provide a verifiable X.509 certificate +during TLS handshake. +.br +.Fl tlscertuser +requires that the client use TLS and provide a verifiable X.509 certificate. +The otherName component of the certificate's subjAltName must have a +an OID of 1.3.6.1.4.1.2238.1.1.1 and a UTF8 string of the form +.Dq user@domain . +.Dq user@domain +will be translated to the credentials of the specified user in the same +manner as +.Xr nfsuserd 8 , +where +.Dq user +is normally a username is the server's password database and +.Dq domain +is the DNS domain name for the server. +All RPCs will be performed using these credentials instead of the +ones in the RPC header in a manner similar to +.Sm off +.Fl mapall Li = Sy user . +.Sm on +.Ed +.Pp +If none of these three flags are specified, TLS mounts are permitted but +not required. +.Pp Specifying the .Fl quiet option will inhibit some of the syslog diagnostics for bad lines in @@ -541,7 +587,15 @@ afterwards, whereas NFSv3 rejects the mount request. .Xr netgroup 5 , .Xr mountd 8 , .Xr nfsd 8 , +.Xr rpc.tlsservd 8 , .Xr showmount 8 +.Sh STANDARDS +The implementation is based on the specification in +.Rs +.%T "Network File System Protocol Specification, Appendix A, RFC 1094" +.%T "NFS: Network File System Version 3, Appendix I, RFC 1813" +.%T "Towards Remote Procedure Call Encryption By Default, RFC nnnn" +.Re .Sh BUGS The export options are tied to the local mount points in the kernel and must be non-contradictory for any exported subdirectory of the local |