Securing NFS - Tunneling NFS Over SSH
Linked by Thom Holwerda on Wed 27th Sep 2006 13:49 UTC, submitted by falko
Privacy, Security, Encryption "The goal of this howto is building a NFS server that works on an SSH tunnel. This way all traffic between your hosts and the file server is encrypted and thus more secure. Normally you should enter a password every time you try to establish a SSH connection but since we could be mounting at bootup we will use ssh-keygen to create a keypair so we can login without entering a password. We will, however, limit that login session to executing just 1 command."
E-mail Print r 2   10 Comment(s) http://osne.ws/cc1
Order by: Score:
Add Comment Post a Comment
Very nice
by DrAk0 on Wed 27th Sep 2006 14:49 UTC
DrAk0
Member since:
2006-08-15

Thats a very nice way to secure NFS services but on a highload network how its going to perform?

Reply Score: 1

This howto could be better
by darkmind on Wed 27th Sep 2006 15:26 UTC
darkmind
Member since:
2006-02-13

This howto could really be better :
1. It could have set fixed port number on the server. This way even after a restart, there should have no issue.

2. instead of SSH tunneling ( which need a user auth ), it could have use stunnel to do a SSL tunneling between the nfs client and the nfs server.
http://www.stunnel.org/

Reply Score: 3

Why though ?
by darrenmoffat on Wed 27th Sep 2006 15:55 UTC
darrenmoffat
Member since:
2005-11-17

Why do this when all it does it provide transport protection. It doesn't actually help with NFS authentication of end points.

NFS can already be secured using Kerberos, and whats more NFSv4 mandates it be implemented.

Reply Score: 1

OpenVPN is another option
by KenJackson on Wed 27th Sep 2006 18:17 UTC
KenJackson
Member since:
2005-07-18

This seems like good information, although SSH is being pressed into service as a VPN.

I already use NFS over an OpenVPN (http://openvpn.net/) connection. I believe it uses the same OpenSSL library as OpenSSH, so presumably the security should be similar. But OpenVPN gives me a more general VPN connection which is useful for other applications also.

Reply Score: 1

fixed ports
by harm on Wed 27th Sep 2006 19:45 UTC
harm
Member since:
2006-09-27

@darkmind:
i just updated the howto with fixed ports, thnx for mentioning the issue ;) Should have done that right from the start :x

Reply Score: 1

NFS builtin security
by mjones on Wed 27th Sep 2006 19:47 UTC
mjones
Member since:
2006-06-14

NFS still has no built in encyrption?

Reply Score: 1

SSH-FS
by ojh77 on Wed 27th Sep 2006 21:05 UTC
ojh77
Member since:
2005-12-19

If using Linux why not just use FUSE with SSH-FS mounts?

Reply Score: 1

RE: SSH-FS
by Bringbackanonposting on Thu 28th Sep 2006 00:07 UTC in reply to "SSH-FS"
Bringbackanonposting Member since:
2005-11-16

There are stacks of ways to do the same thing here. The article is just a howto on one solution.
I have always tried to use NFS instead of SMB/CIFS and the others seeing as I am in a pure $nix network. But I would say the final straw was the strange problem I had where NFS would not allow the viewing of files and folders on server that were on a mounted filesystem off the exported tree. Eg. export /home/user. /home/user/other is a mounted fs (/dev/hdg1). From the client I can't see files in /home/user/other. Bizzar. SMB/CIFS can. I use CIFS everywhere now because it is easy to set up (easy to configure, PITA to install). All other network file systems are overkill to use in a small network. If I need secure remote access I use either hamachi or openvpn.

Reply Score: 1

use SFS on VAN
by vlado on Thu 28th Sep 2006 06:57 UTC
vlado
Member since:
2005-10-26

I would recommend to use http://www.fs.net/ on WAN.

Reply Score: 1

ssh/user account
by anonymous-bert on Thu 28th Sep 2006 13:40 UTC
anonymous-bert
Member since:
2006-02-16

Probably a better solution is to set the shared user account shell to /bin/false, then construct the tunnel with the ssh -N option (which will put the ssh session in tunnel only mode, thereby not calling to shell, which will, as desired, fail with /bin/false as the shell).

This way the shared account is more controlled beyond just ssh sessions.

Bert

Reply Score: 1

Add Comment Post a Comment