Re: [OFFTOPIC] Secure network fileserving Linux <-> Linux

Jesse Pollard (pollard@tomcat.admin.navo.hpc.mil)
Fri, 7 Sep 2001 10:34:12 -0500 (CDT)


Jamie Lokier <lk@tantalophile.demon.co.uk>:
> Jesse Pollard wrote:
> > > Kerberos won't help either - The only parts of NFS that were kerberized
> > > was the initial mount. Everything else uses filehandles/UDP. Encryption
> > > doesn't help either - slows the entire network down too much.
> >
> > I disagree! First of all you can always use NFS over TCP, so much for
> > "every thing else uses filehandles/UDP". (No that this improves security,
> > but it can improve reliability!)
>
> It can improve security if you use NFS over TCP over SSL...
>
> That may be easier to configure than IPSec in some environments.

I've never seen that used. I assume the procedure is something like:

1. login on client (requires home directory be local)
2. ssh to server (local window for password)
3. user mode mount to another directory (assuming not mounting working
directory - marked busy, though that might be allowed)
4. use another window for local usage.

mountd port has to be redirected
nfsd port(s) have to be redirected (I think, might not apply to server)
biod port(s) have to be redirected
lockd port(s) have to be redirected (unless nolocking)
statd port(s) have to be redirected (not sure)

And only a single user per host (not unreasonable).

Would it also work for windows/Macs?

-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil

Any opinions expressed are solely my own.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/