diff options
| author | Chuck Lever <chuck.lever@oracle.com> | 2023-06-07 10:00:09 -0400 |
|---|---|---|
| committer | Trond Myklebust <trond.myklebust@hammerspace.com> | 2023-06-19 12:30:17 -0400 |
| commit | c8407f2e560c53c4c73e77cb5604c8a408dbe7f7 (patch) | |
| tree | f695d4a7ccdf9a62a0cd57a73e6e4303c53a23e5 /Documentation/Makefile | |
| parent | 6c0a8c5fcf7158e889dbdd077f67c81984704710 (diff) | |
| download | linux-c8407f2e560c53c4c73e77cb5604c8a408dbe7f7.tar.gz linux-c8407f2e560c53c4c73e77cb5604c8a408dbe7f7.tar.bz2 linux-c8407f2e560c53c4c73e77cb5604c8a408dbe7f7.zip | |
NFS: Add an "xprtsec=" NFS mount option
After some discussion, we decided that controlling transport layer
security policy should be separate from the setting for the user
authentication flavor. To accomplish this, add a new NFS mount
option to select a transport layer security policy for RPC
operations associated with the mount point.
xprtsec=none - Transport layer security is forced off.
xprtsec=tls - Establish an encryption-only TLS session. If
the initial handshake fails, the mount fails.
If TLS is not available on a reconnect, drop
the connection and try again.
xprtsec=mtls - Both sides authenticate and an encrypted
session is created. If the initial handshake
fails, the mount fails. If TLS is not available
on a reconnect, drop the connection and try
again.
To support client peer authentication (mtls), the handshake daemon
will have configurable default authentication material (certificate
or pre-shared key). In the future, mount options can be added that
can provide this material on a per-mount basis.
Updates to mount.nfs (to support xprtsec=auto) and nfs(5) will be
sent under separate cover.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Diffstat (limited to 'Documentation/Makefile')
0 files changed, 0 insertions, 0 deletions