Page MenuHomeFreeBSD
Files F156644365

D26241.id76452.diff
No OneTemporary
Actions

D26241.id76452.diff
View Options

Index: exports.5
===================================================================
--- exports.5
+++ exports.5
@@ -28,7 +28,7 @@
.\" @(#)exports.5 8.3 (Berkeley) 3/29/95
.\" $FreeBSD: head/usr.sbin/mountd/exports.5 344015 2019-02-11 16:31:15Z cracauer $
.\"
-.Dd Feb 11, 2019
+.Dd August 30, 2020
.Dt EXPORTS 5
.Os
.Sh NAME
@@ -117,9 +117,13 @@
The option flags specify whether the file system
is exported read-only or read-write and how the client UID is mapped to
user credentials on the server.
-For the NFSv4 tree root, the only option that can be specified in this
-section is
-.Fl sec .
+For the NFSv4 tree root, the only options that can be specified in this
+section are ones related to security:
+.Fl sec ,
+.Fl tls ,
+.Fl tlscert
+and
+.Fl tlscertuser .
.Pp
Export options are specified as follows:
.Pp
@@ -241,6 +245,48 @@
.Fl webnfs
flags.
.Pp
+The
+.Fl tls ,
+.Fl tlscert
+and
+.Fl tlscertuser
+export options are used to require the client to use TLS for the mount(s)
+per RFC NNNN.
+For NFS mounts using TLS to work,
+.Xr rpctlssd 8
+must be running on the server.
+.Bd -filled -offset indent
+.Fl tls
+requires that the client use TLS.
+.br
+.Fl tlscert
+requires that the client use TLS and provide a verifiable X.509 certificate
+during TLS handshake.
+.br
+.Fl tlscertuser
+requires that the client use TLS and provide a verifiable X.509 certificate.
+The otherName component of the certificate's subjAltName must have a
+an OID of 1.3.6.1.4.1.2238.1.1.1 and a UTF8 string of the form
+.Dq user@domain .
+.Dq user@domain
+will be translated to the credentials of the specified user in the same
+manner as
+.Xr nfsuserd 8 ,
+where
+.Dq user
+is normally a username is the server's password database and
+.Dq domain
+is the DNS domain name for the server.
+All RPCs will be performed using these credentials instead of the
+ones in the RPC header in a manner similar to
+.Sm off
+.Fl mapall Li = Sy user .
+.Sm on
+.Ed
+.Pp
+If none of these three flags are specified, TLS mounts are permitted but
+not required.
+.Pp
Specifying the
.Fl quiet
option will inhibit some of the syslog diagnostics for bad lines in
@@ -537,6 +583,7 @@
.Xr netgroup 5 ,
.Xr mountd 8 ,
.Xr nfsd 8 ,
+.Xr rpctlssd 8 ,
.Xr showmount 8
.Sh BUGS
The export options are tied to the local mount points in the kernel and

File Metadata

Mime Type
text/plain
Expires
Sat, May 16, 8:41 AM (6 h, 9 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
33123640
Default Alt Text
D26241.id76452.diff (2 KB)

Event Timeline