NFSv4, SSH etc.

NFSv4, SSH etc.

[Chris Hall]

[-- Attachment #1.1: Type: text/plain, Size: 2406 bytes --]


Help !  I am failing to set up a secure NFS server.  (Generally thought
to be impossible by most sources !)

I am running a fully up to date Fedora 7.

  kernel-2.6.22.9-91.fc7
  nfs-utils-lib-1.0.8-10.fc7
  nfs-utils-1.1.0-3.fc7
  libtirpc-0.1.7-9.fc7
  rpcbind-0.1.4-6.fc7

I have been trying to get NFSv4 working between a client on the inside
of my firewall and a server on the outside (DMZ).

 a. I thought NFSv4 would be better because it apparently only requires
    the one TCP port, which is easier to manage.  This turns out not to
    be entirely the case -- umount appears to still want to talk to port
    111 to find mountd.

    Is there some configuration I have missed, please ?

 b. I already use SSH into the server.  So I thought the easy way to
    secure access to the server was to forward the nfsd port from the
    client to the server.

    This does not work.  The server refuses, returning:

        Reject State: AUTH_ERROR (1)
        Auth State: bad credential (seal broken) (1)

    I guess this is because nfsd is upset by receiving a packet which it
    sees as coming from lo, containing a foreign host name.

    I can find no way around that.

    Have I missed something, please ?

 c. I have tried to figure out whether idmapd might help me.

    I'm sorry, I cannot find anything that tells me what nfsd actually
    gets from idmapd, or what one can put in idmapd.conf to influence
    that.

    Where do I look, please.

I realise that Kerberos is a way of securing this.  But that would
require first that I set up a KDC etc etc, and second that I secure the
connection from the server in the DMZ.

I had hoped to stick with SSH which already does the job of providing a
secure, one-way connection to the server.

I could use NFSv3 and SSH.  I can set the ports to use at the server
end, and I can tell the client to forward nfsd and mountd ports -- for
which I can set special ports on the client.  However:

 d. do I need to forward lockd ?  How do I tell the client to use a
    special port number -- dedicated to lockd on the client ?

 e. similarly, do I need to forward port 111 ?

 f. I can turn off rquotad on the server, so I don't need to figure out
    how to secure that.  But I do not know how statd fits into this.
    What should I do there ?

Thanks,

Chris
-- 
Chris Hall

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 470 bytes --]

[-- Attachment #2: Type: text/plain, Size: 314 bytes --]

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

[-- Attachment #3: Type: text/plain, Size: 140 bytes --]

_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: NFSv4, SSH etc.

[Chuck Lever]

[-- Attachment #1: Type: text/plain, Size: 949 bytes --]

Chris Hall wrote:
> Help !  I am failing to set up a secure NFS server.  (Generally thought
> to be impossible by most sources !)
> 
> I am running a fully up to date Fedora 7.
> 
>   kernel-2.6.22.9-91.fc7
>   nfs-utils-lib-1.0.8-10.fc7
>   nfs-utils-1.1.0-3.fc7
>   libtirpc-0.1.7-9.fc7
>   rpcbind-0.1.4-6.fc7
> 
> I have been trying to get NFSv4 working between a client on the inside
> of my firewall and a server on the outside (DMZ).
> 
>  a. I thought NFSv4 would be better because it apparently only requires
>     the one TCP port, which is easier to manage.  This turns out not to
>     be entirely the case -- umount appears to still want to talk to port
>     111 to find mountd.

This is a known bug in nfs-utils-1.1.0, and was addressed in 
nfs-utils-1.1.1, just released last week.  NFSv4 certainly doesn't need 
to talk to mountd.  The umount.nfs[4] command was changed to skip the 
mountd step when unmounting "nfs4" file systems.

[-- Attachment #2: chuck.lever.vcf --]
[-- Type: text/x-vcard, Size: 315 bytes --]

begin:vcard
fn:Chuck Lever
n:Lever;Chuck
org:Oracle Corporation;Corporate Architecture: Linux Projects Group
adr:;;1015 Granger Avenue;Ann Arbor;MI;48104;USA
email;internet:chuck dot lever at nospam oracle dot com
title:Principal Member of Staff
tel;work:+1 248 614 5091
x-mozilla-html:FALSE
version:2.1
end:vcard


[-- Attachment #3: Type: text/plain, Size: 314 bytes --]

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

[-- Attachment #4: Type: text/plain, Size: 140 bytes --]

_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs