NFSv4, SSH etc.

[Chris Hall <chris@halldom.com>]

[-- Attachment #1.1: Type: text/plain, Size: 2406 bytes --]


Help !  I am failing to set up a secure NFS server.  (Generally thought
to be impossible by most sources !)

I am running a fully up to date Fedora 7.

  kernel-2.6.22.9-91.fc7
  nfs-utils-lib-1.0.8-10.fc7
  nfs-utils-1.1.0-3.fc7
  libtirpc-0.1.7-9.fc7
  rpcbind-0.1.4-6.fc7

I have been trying to get NFSv4 working between a client on the inside
of my firewall and a server on the outside (DMZ).

 a. I thought NFSv4 would be better because it apparently only requires
    the one TCP port, which is easier to manage.  This turns out not to
    be entirely the case -- umount appears to still want to talk to port
    111 to find mountd.

    Is there some configuration I have missed, please ?

 b. I already use SSH into the server.  So I thought the easy way to
    secure access to the server was to forward the nfsd port from the
    client to the server.

    This does not work.  The server refuses, returning:

        Reject State: AUTH_ERROR (1)
        Auth State: bad credential (seal broken) (1)

    I guess this is because nfsd is upset by receiving a packet which it
    sees as coming from lo, containing a foreign host name.

    I can find no way around that.

    Have I missed something, please ?

 c. I have tried to figure out whether idmapd might help me.

    I'm sorry, I cannot find anything that tells me what nfsd actually
    gets from idmapd, or what one can put in idmapd.conf to influence
    that.

    Where do I look, please.

I realise that Kerberos is a way of securing this.  But that would
require first that I set up a KDC etc etc, and second that I secure the
connection from the server in the DMZ.

I had hoped to stick with SSH which already does the job of providing a
secure, one-way connection to the server.

I could use NFSv3 and SSH.  I can set the ports to use at the server
end, and I can tell the client to forward nfsd and mountd ports -- for
which I can set special ports on the client.  However:

 d. do I need to forward lockd ?  How do I tell the client to use a
    special port number -- dedicated to lockd on the client ?

 e. similarly, do I need to forward port 111 ?

 f. I can turn off rquotad on the server, so I don't need to figure out
    how to secure that.  But I do not know how statd fits into this.
    What should I do there ?

Thanks,

Chris
-- 
Chris Hall

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 470 bytes --]

[-- Attachment #2: Type: text/plain, Size: 314 bytes --]

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

[-- Attachment #3: Type: text/plain, Size: 140 bytes --]

_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs