1. Howto secure NFS on an insecure LAN?
I could use some help from networking gurus out there. We admin a
smallish group of Linux boxes (6-7) at a University. These are
sharing the same Ethernet segment with many other computers in Campus,
and we can't really control who is physically connected to it. I.e.,
any student could easily plug a portable in some of the available
sockets and sniff for passwds, impersonate IPs, etc etc.
So we already use ssh so that no passwds fly in the clear within our
network. But now we want to network our boxes properly with NFS/NIS,
and here comes the problem: how can we make it secure??? Yes, I've
read the HOWTOs and I understand how to protect the portmapper with
tcp wrappers and so on; but if our ethernet is insecure we would be
still vulnerable to someone impersonating some of our machines, right?
Not to speak of GPG and ssh keys in user's home directories, which
would travel in the clear also.
In short: how do we get the functionality of NFS in a secure way, when
even the local segment can't be trusted? (the NIS part we can
probably do without)
Secure RPC does not exist for Linux, it seems; and AFS (I believe) is
out of the question, since only the client (arla) is free. What other
options do we have? OK, I thought about these two options:
(a) Could we have NFS (over tcp) tunneled through ssh (and how hard would
that be)? Any pointers on this?
(b) Alternatively, is it possible to have CIPE used on non-routable
IP addresses, co-existing with the routable IPs on the same
physical network (i.e. just one NIC)? How would you encrypt part
of a LAN when you can't modify the router?
Any other options???
Jose L Marin
Dept. of Cond. Matter Physics
University of Zaragoza, Spain
2. Help with private color map
3. Secure Mounts without Secure NFS
4. Errors After Adding New Hard Drive
5. Looking for data on secure logins, NFS via secure RPC
6. eth0 (dhcp) cannot start so dead lock when boot
7. Secure RPC/Secure NFS for Linux?
8. ACER NIC CARD
9. NFS: NFS-HOWTO ?
10. Secure Secure Secure
11. Howto setup secure rpc without using nis/nis+
12. help: howto to make the machine secure!!
13. Howto secure a webserver?