secure nfs alternatives

secure nfs alternatives

Post by jn » Sat, 28 Sep 2002 22:19:22



hi, i am finding myself quickly running out of disks/disk space on
various boxes here on my home network and thus have decided to setup
one of my boxes as a nfs server, as i dont really like the security
model for nfs, i wonder what else exists out there that has a better
security model, id prefer it to be crypted, and must work across
multiple nix platforms. Any suggestions would be helpful, thx

regards,
jnf

 
 
 

secure nfs alternatives

Post by Hale » Sun, 29 Sep 2002 11:51:00



> hi, i am finding myself quickly running out of disks/disk space on
> various boxes here on my home network and thus have decided to setup
> one of my boxes as a nfs server, as i dont really like the security
> model for nfs, i wonder what else exists out there that has a better
> security model, id prefer it to be crypted, and must work across
> multiple nix platforms. Any suggestions would be helpful, thx

> regards,
> jnf

You could try tunneling NFS thru SSH (SNFS);
http://www.math.ualberta.ca/imaging/snfs/

or IBM's free OpenAFS;
http://www.transarc.ibm.com/Library/documentation/afs/3.6/unix/en_US/...

 
 
 

secure nfs alternatives

Post by jn » Mon, 30 Sep 2002 07:55:11


Quote:> You could try tunneling NFS thru SSH (SNFS);
> http://www.math.ualberta.ca/imaging/snfs/

> or IBM's free OpenAFS;
> http://www.transarc.ibm.com/Library/documentation/afs/3.6/unix/en_US/...


and had all sorts of problems integrating it. as for snfs, well my
view on ssh is 'openssh: the encrypted rootshell'

what about coda? has anyone used that before?

 
 
 

secure nfs alternatives

Post by Jack As » Mon, 30 Sep 2002 09:09:25



> as for snfs, well my view on ssh is 'openssh: the encrypted rootshell'

Out of interest, what are you using instead of ssh for secure logins and
single-file transfers? All ipsec all the time, then telnet on top of that?

--
...Vita detestabilis / nunc obdurat / et tunc curat / ludo mentis aciem...

 
 
 

secure nfs alternatives

Post by Christopher Brown » Mon, 30 Sep 2002 10:22:23



>> You could try tunneling NFS thru SSH (SNFS);
>> http://www.math.ualberta.ca/imaging/snfs/

>> or IBM's free OpenAFS;
>> http://www.transarc.ibm.com/Library/documentation/afs/3.6/unix/en_US/...


> and had all sorts of problems integrating it. as for snfs, well my
> view on ssh is 'openssh: the encrypted rootshell'

ssh is good for more than that...

I was under the impression that the only parts of AFS that were
"libre" was some of the client software, and that the server side was
held pretty tightly by TransArc.

NFS became ubiquitous because Sun let it get out as an RFC, and
because lots of people implemented that RFC...

Quote:> what about coda? has anyone used that before?

I've gotten it working, once every few years.  I always forget most of
the the pain in between.
--

http://www3.sympatico.ca/cbbrowne/emacs.html
Rules  of  the  Evil  Overlord  #89.  "After  I  captures  the  hero's
superweapon, I  will not immediately  disband my legions and  relax my
guard because I believe whoever holds the weapon is unstoppable. After
all,   the  hero  held   the  weapon   and  I   took  it   from  him."
<http://www.eviloverlord.com/>
 
 
 

secure nfs alternatives

Post by Bernd Eckenfel » Tue, 01 Oct 2002 00:14:44



Quote:> I was under the impression that the only parts of AFS that were
> "libre" was some of the client software, and that the server side was
> held pretty tightly by TransArc.

OpenAFS is free on server and client site. It is alaos available for
windoes. But there is also a non-ibm project Arla, which should be
interoperabel.

But note: afs does not encrypt the filesystem payload, and has a bit changed
semantic (which is pretty good for homedir usage).

Other network filesystems which are not compatible include coda (in the
linux kernel) and others like DFS.

Greetings
Bernd

 
 
 

secure nfs alternatives

Post by jn » Tue, 01 Oct 2002 07:32:21




> > as for snfs, well my view on ssh is 'openssh: the encrypted rootshell'

> Out of interest, what are you using instead of ssh for secure logins and
> single-file transfers? All ipsec all the time, then telnet on top of that?

ive written some of my own stuff to take care of this problem. I don't
view ssh as a secure alternative, i hate listening to people say that.
It has had almost as many bugs as wuftp, but wu is often regarded as
the most insecure ftp server you could get, yet ssh is the 'secure
alternative', in work enviroments ive had to use ssh before and ive
normally just place alot of other auth mechanisms before that.
my point of view really is, what good is your crypto, if your gonna
get rooted every few months? theo has dropped the ball.
 
 
 

secure nfs alternatives

Post by David Utidjia » Thu, 03 Oct 2002 20:23:52



> hi, i am finding myself quickly running out of disks/disk space on
> various boxes here on my home network and thus have decided to setup one
> of my boxes as a nfs server, as i dont really like the security model
> for nfs, i wonder what else exists out there that has a better security
> model, id prefer it to be crypted, and must work across multiple nix
> platforms. Any suggestions would be helpful, thx

Well NFS works fine on "trusted" networks.... which is usually what one
has at home. I have used it for years... can't be beat for performance
and ease of setup. Add to that NIS to keep everything straight.

On anything less than a subnet that you have complete control over it is
not secure. NFS/NIS is not a "security nightmare"... it is just plain old
ordinary NOT secure. Anyone with a laptop and root privs can attach to
your NFS network and become any user but not the root user on the server.
In any case... it works fine for networks where one can control who has
root access to what.

AFS, and specifically, OpenAFS (http://www.openafs.org) is the way to go.
It is released under the IBM Public License. Not sure if that is an OSS
license or not.

AFS has clients for Mac OS X, Windows NT/2K/XP, Linux, and all other
flavors of currently shipping Unix that I am aware of. It is extremely
scalable. It was designed for very large networks. It also gives
performance very near local disk speeds due to extensive cacheing. It is
encrypted throughout. It does not trust the machine (as in NFS) it only
trusts the user once they have been authenticated. You can use LDAP or
Kerberos (and possibly others) authentication mechanisms.

Downside.... it is non-trivial to set up. After that, it is totally
trivial to administer.

Other alternatives are Intermezzo, ARL, Coda. Int. and Coda are still
very much in development. AFS is a mature product. Coda was a to be an
OSS implementation of AFS... but once IBM released the source code to AFS
I think it kinda took the wind out of the Coda developers sails.

In any case if you want easy and reliable AND can trust your network use
NFS/NIS. If you want secure use AFS.

-DU-...etc...

 
 
 

secure nfs alternatives

Post by Bernd Eckenfel » Thu, 03 Oct 2002 22:06:38



Quote:> It is
> encrypted throughout.

I never found a reference to payload encryption. It is not doing that to my
knowledge.

Quote:> Downside.... it is non-trivial to set up. After that, it is totally
> trivial to administer.

And one down site is, that the server cant use a normal data partition, but
need to have a AFS volumne, which can only be accessed via AFS. This is no
big issue, but a bit annoying, if you only have 2 computers and want to do
peer to peer. It also fairly often crashes the kernel on me in various
versions.

Quote:> Other alternatives are Intermezzo, ARL, Coda. Int. and Coda are still
> very much in development. AFS is a mature product. Coda was a to be an
> OSS implementation of AFS... but once IBM released the source code to AFS
> I think it kinda took the wind out of the Coda developers sails.

Well, Coda is in the linux kernel and has some nice detached features, I
would not say AFS is more stable.

Greetings
Bernd

 
 
 

1. Which more secure alternatives to standard NFS are available?

Hi,

i am looking for alternatives to plain NFS which are more robust to
trivial attacks. I am not paranoid about security, but it should not
be as simple as it is with standard NFS to plug in a simple linux box,
where you have root account, mount an exported file system, switch to
a known user-id and access this files. Even windows networking ist
much more secure since it uses server side authentication.

Are there any alternatives (which work also on SGI/IRIX)?

Rainer

2. mount & user

3. secure alternative to nfs ?

4. module-load-problem

5. Secure Mounts without Secure NFS

6. Applications .. Benefits .. what do you do with it ?

7. Using samba to replace NFS / NFS alternative ???...

8. help needed

9. Looking for data on secure logins, NFS via secure RPC

10. Secure RPC/Secure NFS for Linux?

11. Secure Netscape Alternatives

12. secure alternative to POP3?

13. Secure POP: Alternative to SSH tunnel?