[chungy]

Everything you listed was fixed in NFSv4. Don't use the ancient versions of NFS.

[yrro]

We're not there with authentication yet (although I've no problem with Kerberos myself).

[gnufx]

How are we not there? The only real issue I know is allegedly requiring host keys for gssd (e.g. "joining the domain"), but rpc.gssd(8) documents "anyname" principals.

[yrro]

The only per-user authentication option is Kerberos. Username/password based authentication is not possible.

[gnufx]

That seems like a feature; mounting SMB is done on a local system on the basis of password, and it's horrible. (I assume you could, in principle, use some other GSSAPI mechanism.)

[lubutu]

There has been recent work on RPC-with-TLS (RFC 9289), xprtsec=mtls.

[yrro]

AIUI this is still not user level authentication. It rather secures the communication between hosts, but you still have to choose between sec=sys ("trust me bro") or sec=krb5* at the upper layer.

[kiney]

easist way nowadays to get secure NFS is to just set up a wireguard tunnel

[yrro]

No because you still have to trust the client.

With Kerberos a hacked client where user 1 has authenticated can't impersonate user 2 unless that user has also authenticated on the client.

With sec=sys the client is simply trusted without any per-user authentication.

[kiney]

in most cases you can just use more fine-grained exports. e.g. export /home/user1 to 10.0.0.1 and /home/user2 to 10.0.0.2 instead of /home to 10.0.0.0/24 etc.