D26241.1777647860.diff
No OneTemporary
Actions

Size

2 KB

Referenced Files

None

Subscribers

None

D26241.1777647860.diff
View Options

	Index: exports.5
	===================================================================
	--- exports.5
	+++ exports.5
	@@ -28,7 +28,7 @@
	.\" @(#)exports.5 8.3 (Berkeley) 3/29/95
	.\" $FreeBSD: head/usr.sbin/mountd/exports.5 344015 2019-02-11 16:31:15Z cracauer $
	.\"
	-.Dd Feb 11, 2019
	+.Dd August 30, 2020
	.Dt EXPORTS 5
	.Os
	.Sh NAME
	@@ -117,9 +117,13 @@
	The option flags specify whether the file system
	is exported read-only or read-write and how the client UID is mapped to
	user credentials on the server.
	-For the NFSv4 tree root, the only option that can be specified in this
	-section is
	-.Fl sec .
	+For the NFSv4 tree root, the only options that can be specified in this
	+section are ones related to security:
	+.Fl sec ,
	+.Fl tls ,
	+.Fl tlscert
	+and
	+.Fl tlscertuser .
	.Pp
	Export options are specified as follows:
	.Pp
	@@ -241,6 +245,48 @@
	.Fl webnfs
	flags.
	.Pp
	+The
	+.Fl tls ,
	+.Fl tlscert
	+and
	+.Fl tlscertuser
	+export options are used to require the client to use TLS for the mount(s)
	+per RFC NNNN.
	+For NFS mounts using TLS to work,
	+.Xr rpctlsservd 8
	+must be running on the server.
	+.Bd -filled -offset indent
	+.Fl tls
	+requires that the client use TLS.
	+.br
	+.Fl tlscert
	+requires that the client use TLS and provide a verifiable X.509 certificate
	+during TLS handshake.
	+.br
	+.Fl tlscertuser
	+requires that the client use TLS and provide a verifiable X.509 certificate.
	+The otherName component of the certificate's subjAltName must have a
	+an OID of 1.3.6.1.4.1.2238.1.1.1 and a UTF8 string of the form
	+.Dq user@domain .
	+.Dq user@domain
	+will be translated to the credentials of the specified user in the same
	+manner as
	+.Xr nfsuserd 8 ,
	+where
	+.Dq user
	+is normally a username is the server's password database and
	+.Dq domain
	+is the DNS domain name for the server.
	+All RPCs will be performed using these credentials instead of the
	+ones in the RPC header in a manner similar to
	+.Sm off
	+.Fl mapall Li = Sy user .
	+.Sm on
	+.Ed
	+.Pp
	+If none of these three flags are specified, TLS mounts are permitted but
	+not required.
	+.Pp
	Specifying the
	.Fl quiet
	option will inhibit some of the syslog diagnostics for bad lines in
	@@ -537,7 +583,15 @@
	.Xr netgroup 5 ,
	.Xr mountd 8 ,
	.Xr nfsd 8 ,
	+.Xr rpctlsservd 8 ,
	.Xr showmount 8
	+.Sh STANDARDS
	+The implementation is based on the specification in
	+.Rs
	+.%T "Network File System Protocol Specification, Appendix A, RFC 1094"
	+.%T "NFS: Network File System Version 3, Appendix I, RFC 1813"
	+.%T "Towards Remote Procedure Call Encryption By Default, RFC nnnn"
	+.Re
	.Sh BUGS
	The export options are tied to the local mount points in the kernel and
	must be non-contradictory for any exported subdirectory of the local

File Metadata

Mime Type: text/plain
Expires: Fri, May 1, 3:04 PM (14 h, 33 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 28528696
Default Alt Text: D26241.1777647860.diff (2 KB)

D26241.1777647860.diffNo OneTemporaryActions

D26241.1777647860.diffView Options

File Metadata

Event Timeline

D26241.1777647860.diff
No OneTemporary
Actions

D26241.1777647860.diff
View Options