View previous topic :: View next topic |
Author |
Message |
s|mon Apprentice
Joined: 04 Jul 2004 Posts: 217 Location: Bayern [de]
|
Posted: Wed Oct 23, 2024 1:28 pm Post subject: HowTo: NFS with mTLS |
|
|
Looking for ways to secure my legacy NFS setup and halfway down for kerberos i read that since linux 6.5 it could be achieved also using kernel TLS.
As i already had certificates set up for my homenetwork including a private CA i gave it a try and wanted to share steps here in case someone is interested.
Basically what is described at arch wiki.
Prerequisites: Code: | CA file
Server certifiate + key file: server_signed.pem server.key
Client certificate + key file: client_signed.pem client.key (in case of mTLS) |
Caveat: using KTLS requires a user space daemon to handle handshake and configuration of certificates to use. Currently i am not aware of a package on gentoo which provides this.
I used https://github.com/oracle/ktls-utils/
and created this wish-bug (with attached git ebuild for openrc, adaptation to systemd should not be too hard)
https://bugs.gentoo.org/942003
Configuration of /etc/tlshd.conf (from ktls-utils, NFS Server)
Code: | [debug]
loglevel=0
tls=0
nl=0
[authenticate]
[authenticate.server]
x509.truststore= /etc/nfs-certs/ca-cert.pem
x509.certificate= /etc/nfs-certs/server_signed.pem
x509.private_key= /etc/nfs-certs/server.key
|
I did not put the certificates to global certificate folders as it is not required, maybe i'll adapt that later.
Configuration of /etc/tlshd.conf (from ktls-utils, NFS Client)
Code: | [debug]
loglevel=0
tls=0
nl=0
[authenticate]
[authenticate.client]
x509.truststore= /etc/nfs-certs/ca-cert.pem
x509.certificate= /etc/nfs-certs/client_signed.pem
x509.private_key= /etc/nfs-certs/client.key
[authenticate.server]
|
start tlshd on client and server, cosnider adding the service to appropriate runlevels
e.g. rc-update add tlshd default
Configuration of NFS (/etc/conf.d/nfs.conf for openrc, NFS Server)
Code: |
OPTS_RPC_NFSD="8 -V 4 -V 4.2"
|
to specify the version of NFS to 4.2 if needed.
Configiration on exports (NFS server)
add or a list of things to be supported for each export, depending on ones needs. I have explictly set mtls as i want only such to be allowed.
Configuration of fstab (or options to mount, NFS client)
Code: | server:/mnt/test /mnt/test nfs nofail,auto,rw,soft,_netdev,sec=sys,xprtsec=mtls 0 0 |
Kernel configuration:
Ensure that NFS 4.2 is available, should be 6.5 or newer and enable kernel TLS.
the only one i had missing was
Application:
umount on client
adapt configurations on both sides.
apply on server using
exportfs -ra
/etc/init.d/nfs restart
mounting on client
on success one should also see the syslog output from tlshd
e.g. on my auth.log
Quote: |
Oct 23 14:56:48 servername tlshd[28330]: Handshake with client.domain (192.168.x.y) was successful |
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|