diff options
author | Chuck Lever <chuck.lever@oracle.com> | 2023-04-15 10:05:58 -0400 |
---|---|---|
committer | Steve Dickson <steved@redhat.com> | 2023-04-15 13:53:54 -0400 |
commit | 21d35ad4f25e6dcdc919ceb01744b0a9d97b37ba (patch) | |
tree | e8dc80cc60e4a9314510d659f82add1f2896a6e1 | |
parent | ab6d2c6b88bce4ad4772b620b0caa027d959f205 (diff) | |
download | nfs-utils-21d35ad4f25e6dcdc919ceb01744b0a9d97b37ba.tar.gz |
exports(5): Describe the xprtsec= export option
Cc: Rick Macklem <rick.macklem@gmail.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
-rw-r--r-- | utils/exportfs/exports.man | 51 |
1 files changed, 50 insertions, 1 deletions
diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man index 54b3f87..83dd680 100644 --- a/utils/exportfs/exports.man +++ b/utils/exportfs/exports.man @@ -125,7 +125,55 @@ In that case you may include multiple sec= options, and following options will be enforced only for access using flavors listed in the immediately preceding sec= option. The only options that are permitted to vary in this way are ro, rw, no_root_squash, root_squash, and all_squash. +.SS Transport layer security +The Linux NFS server allows the use of RPC-with-TLS (RFC 9289) to +protect RPC traffic between itself and its clients. +Alternately, administrators can secure NFS traffic using a VPN, +or an ssh tunnel or similar mechanism, in a way that is transparent +to the server. .PP +To enable the use of RPC-with-TLS, the server's administrator must +install and configure +.BR tlshd +to handle transport layer security handshake requests from the local +kernel. +Clients can then choose to use RPC-with-TLS or they may continue +operating without it. +.PP +Administrators may require the use of RPC-with-TLS to protect access +to individual exports. +This is particularly useful when using non-cryptographic security +flavors such as +.IR sec=sys . +The +.I xprtsec= +option, followed by an unordered colon-delimited list of security policies, +can restrict access to the export to only clients that have negotiated +transport-layer security. +Currently supported transport layer security policies include: +.TP +.IR none +The server permits clients to access the export +without the use of transport layer security. +.TP +.IR tls +The server permits clients that have negotiated an RPC-with-TLS session +without peer authentication (confidentiality only) to access the export. +Clients are not required to offer an x.509 certificate +when establishing a transport layer security session. +.TP +.IR mtls +The server permits clients that have negotiated an RPC-with-TLS session +with peer authentication to access the export. +The server requires clients to offer an x.509 certificate +when establishing a transport layer security session. +.PP +If RPC-with-TLS is configured and enabled and the +.I xprtsec= +option is not specified, the default setting for an export is +.IR xprtsec=none:tls:mtls . +With this setting, the server permits clients to use any transport +layer security mechanism or none at all to access the export. .SS General Options .BR exportfs understands the following export options: @@ -581,7 +629,8 @@ a character class wildcard match. .BR netgroup (5), .BR mountd (8), .BR nfsd (8), -.BR showmount (8). +.BR showmount (8), +.BR tlshd (8). .\".SH DIAGNOSTICS .\"An error parsing the file is reported using syslogd(8) as level NOTICE from .\"a DAEMON whenever |