• Chuck Lever's avatar
    NFS: Add an "xprtsec=" NFS mount option · c8407f2e
    Chuck Lever authored
    After some discussion, we decided that controlling transport layer
    security policy should be separate from the setting for the user
    authentication flavor. To accomplish this, add a new NFS mount
    option to select a transport layer security policy for RPC
    operations associated with the mount point.
    
      xprtsec=none     - Transport layer security is forced off.
    
      xprtsec=tls      - Establish an encryption-only TLS session. If
                         the initial handshake fails, the mount fails.
                         If TLS is not available on a reconnect, drop
                         the connection and try again.
    
      xprtsec=mtls     - Both sides authenticate and an encrypted
                         session is created. If the initial handshake
                         fails, the mount fails. If TLS is not available
                         on a reconnect, drop the connection and try
                         again.
    
    To support client peer authentication (mtls), the handshake daemon
    will have configurable default authentication material (certificate
    or pre-shared key). In the future, mount options can be added that
    can provide this material on a per-mount basis.
    
    Updates to mount.nfs (to support xprtsec=auto) and nfs(5) will be
    sent under separate cover.
    Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
    Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
    c8407f2e
super.c 37 KB