* NFSv4, SSH etc.
@ 2007-10-22 10:14 Chris Hall
2007-10-22 17:15 ` Chuck Lever
0 siblings, 1 reply; 2+ messages in thread
From: Chris Hall @ 2007-10-22 10:14 UTC (permalink / raw)
To: nfs
[-- Attachment #1.1: Type: text/plain, Size: 2406 bytes --]
Help ! I am failing to set up a secure NFS server. (Generally thought
to be impossible by most sources !)
I am running a fully up to date Fedora 7.
kernel-2.6.22.9-91.fc7
nfs-utils-lib-1.0.8-10.fc7
nfs-utils-1.1.0-3.fc7
libtirpc-0.1.7-9.fc7
rpcbind-0.1.4-6.fc7
I have been trying to get NFSv4 working between a client on the inside
of my firewall and a server on the outside (DMZ).
a. I thought NFSv4 would be better because it apparently only requires
the one TCP port, which is easier to manage. This turns out not to
be entirely the case -- umount appears to still want to talk to port
111 to find mountd.
Is there some configuration I have missed, please ?
b. I already use SSH into the server. So I thought the easy way to
secure access to the server was to forward the nfsd port from the
client to the server.
This does not work. The server refuses, returning:
Reject State: AUTH_ERROR (1)
Auth State: bad credential (seal broken) (1)
I guess this is because nfsd is upset by receiving a packet which it
sees as coming from lo, containing a foreign host name.
I can find no way around that.
Have I missed something, please ?
c. I have tried to figure out whether idmapd might help me.
I'm sorry, I cannot find anything that tells me what nfsd actually
gets from idmapd, or what one can put in idmapd.conf to influence
that.
Where do I look, please.
I realise that Kerberos is a way of securing this. But that would
require first that I set up a KDC etc etc, and second that I secure the
connection from the server in the DMZ.
I had hoped to stick with SSH which already does the job of providing a
secure, one-way connection to the server.
I could use NFSv3 and SSH. I can set the ports to use at the server
end, and I can tell the client to forward nfsd and mountd ports -- for
which I can set special ports on the client. However:
d. do I need to forward lockd ? How do I tell the client to use a
special port number -- dedicated to lockd on the client ?
e. similarly, do I need to forward port 111 ?
f. I can turn off rquotad on the server, so I don't need to figure out
how to secure that. But I do not know how statd fits into this.
What should I do there ?
Thanks,
Chris
--
Chris Hall
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 470 bytes --]
[-- Attachment #2: Type: text/plain, Size: 314 bytes --]
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
[-- Attachment #3: Type: text/plain, Size: 140 bytes --]
_______________________________________________
NFS maillist - NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: NFSv4, SSH etc.
2007-10-22 10:14 NFSv4, SSH etc Chris Hall
@ 2007-10-22 17:15 ` Chuck Lever
0 siblings, 0 replies; 2+ messages in thread
From: Chuck Lever @ 2007-10-22 17:15 UTC (permalink / raw)
To: Chris Hall; +Cc: nfs
[-- Attachment #1: Type: text/plain, Size: 949 bytes --]
Chris Hall wrote:
> Help ! I am failing to set up a secure NFS server. (Generally thought
> to be impossible by most sources !)
>
> I am running a fully up to date Fedora 7.
>
> kernel-2.6.22.9-91.fc7
> nfs-utils-lib-1.0.8-10.fc7
> nfs-utils-1.1.0-3.fc7
> libtirpc-0.1.7-9.fc7
> rpcbind-0.1.4-6.fc7
>
> I have been trying to get NFSv4 working between a client on the inside
> of my firewall and a server on the outside (DMZ).
>
> a. I thought NFSv4 would be better because it apparently only requires
> the one TCP port, which is easier to manage. This turns out not to
> be entirely the case -- umount appears to still want to talk to port
> 111 to find mountd.
This is a known bug in nfs-utils-1.1.0, and was addressed in
nfs-utils-1.1.1, just released last week. NFSv4 certainly doesn't need
to talk to mountd. The umount.nfs[4] command was changed to skip the
mountd step when unmounting "nfs4" file systems.
[-- Attachment #2: chuck.lever.vcf --]
[-- Type: text/x-vcard, Size: 315 bytes --]
begin:vcard
fn:Chuck Lever
n:Lever;Chuck
org:Oracle Corporation;Corporate Architecture: Linux Projects Group
adr:;;1015 Granger Avenue;Ann Arbor;MI;48104;USA
email;internet:chuck dot lever at nospam oracle dot com
title:Principal Member of Staff
tel;work:+1 248 614 5091
x-mozilla-html:FALSE
version:2.1
end:vcard
[-- Attachment #3: Type: text/plain, Size: 314 bytes --]
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
[-- Attachment #4: Type: text/plain, Size: 140 bytes --]
_______________________________________________
NFS maillist - NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-10-22 17:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-10-22 10:14 NFSv4, SSH etc Chris Hall
2007-10-22 17:15 ` Chuck Lever
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox