Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HowTo: NFS with mTLS
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
s|mon
Apprentice
Apprentice


Joined: 04 Jul 2004
Posts: 217
Location: Bayern [de]

PostPosted: Wed Oct 23, 2024 1:28 pm    Post subject: HowTo: NFS with mTLS Reply with quote

Looking for ways to secure my legacy NFS setup and halfway down for kerberos i read that since linux 6.5 it could be achieved also using kernel TLS.

As i already had certificates set up for my homenetwork including a private CA i gave it a try and wanted to share steps here in case someone is interested.
Basically what is described at arch wiki.

Prerequisites:
Code:
CA file
Server certifiate + key file: server_signed.pem server.key
Client certificate + key file: client_signed.pem client.key (in case of mTLS)


Caveat: using KTLS requires a user space daemon to handle handshake and configuration of certificates to use. Currently i am not aware of a package on gentoo which provides this.
I used https://github.com/oracle/ktls-utils/
and created this wish-bug (with attached git ebuild for openrc, adaptation to systemd should not be too hard)
https://bugs.gentoo.org/942003

Configuration of /etc/tlshd.conf (from ktls-utils, NFS Server)
Code:
[debug]
loglevel=0
tls=0
nl=0

[authenticate]

[authenticate.server]
x509.truststore=  /etc/nfs-certs/ca-cert.pem
x509.certificate= /etc/nfs-certs/server_signed.pem
x509.private_key= /etc/nfs-certs/server.key


I did not put the certificates to global certificate folders as it is not required, maybe i'll adapt that later.

Configuration of /etc/tlshd.conf (from ktls-utils, NFS Client)
Code:
[debug]
loglevel=0
tls=0
nl=0

[authenticate]

[authenticate.client]
x509.truststore=  /etc/nfs-certs/ca-cert.pem
x509.certificate= /etc/nfs-certs/client_signed.pem
x509.private_key= /etc/nfs-certs/client.key

[authenticate.server]


start tlshd on client and server, cosnider adding the service to appropriate runlevels
e.g. rc-update add tlshd default

Configuration of NFS (/etc/conf.d/nfs.conf for openrc, NFS Server)
Code:

OPTS_RPC_NFSD="8 -V 4 -V 4.2"

to specify the version of NFS to 4.2 if needed.

Configiration on exports (NFS server)
add
Code:
xprtsec=mtls
or a list of things to be supported for each export, depending on ones needs. I have explictly set mtls as i want only such to be allowed.

Configuration of fstab (or options to mount, NFS client)
Code:
server:/mnt/test   /mnt/test   nfs    nofail,auto,rw,soft,_netdev,sec=sys,xprtsec=mtls    0 0


Kernel configuration:
Ensure that NFS 4.2 is available, should be 6.5 or newer and enable kernel TLS.
the only one i had missing was
Code:
CONFIG_TLS



Application:
umount on client
adapt configurations on both sides.
apply on server using
exportfs -ra
/etc/init.d/nfs restart
mounting on client

on success one should also see the syslog output from tlshd
e.g. on my auth.log
Quote:

Oct 23 14:56:48 servername tlshd[28330]: Handshake with client.domain (192.168.x.y) was successful
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum