HOWTO: secure nfs

HOWTO: secure nfs

Post by CS Lab. Stf C.M. H » Tue, 10 Sep 1996 04:00:00

Dear netters,

Is there anyone ever setup a secure nfs server successfully?
I share at the server by

   > share -o secure svr:/share

and mount at client by

  > mount -o sercure svr:/share /mnt

however, I only get the error messages

NFS fsinfo failed for server svr: error 7 (RPC: Authentication error)

at mount.

Can anyone help?

Thank you very much in advance

C.M. Hui


1. Howto secure NFS on an insecure LAN?

Hi all,

I could use some help from networking gurus out there.  We admin a
smallish group of Linux boxes (6-7) at a University.  These are
sharing the same Ethernet segment with many other computers in Campus,
and we can't really control who is physically connected to it.  I.e.,
any student could easily plug a portable in some of the available
sockets and sniff for passwds, impersonate IPs, etc etc.

So we already use ssh so that no passwds fly in the clear within our
network.  But now we want to network our boxes properly with NFS/NIS,
and here comes the problem: how can we make it secure???  Yes, I've
read the HOWTOs and I understand how to protect the portmapper with
tcp wrappers and so on; but if our ethernet is insecure we would be
still vulnerable to someone impersonating some of our machines, right?
Not to speak of GPG and ssh keys in user's home directories, which
would travel in the clear also.

In short: how do we get the functionality of NFS in a secure way, when
even the local segment can't be trusted?  (the NIS part we can
probably do without)

Secure RPC does not exist for Linux, it seems;  and AFS (I believe) is
out of the question, since only the client (arla) is free.  What other
options do we have?  OK, I thought about these two options:

 (a) Could we have NFS (over tcp) tunneled through ssh (and how hard would
    that be)?  Any pointers on this?

 (b) Alternatively, is it possible to have CIPE used on non-routable
    IP addresses, co-existing with the routable IPs on the same
    physical network (i.e. just one NIC)?  How would you encrypt part
    of a LAN when you can't modify the router?

Any other options???


Jose L Marin
Dept. of Cond. Matter Physics
University of Zaragoza, Spain

2. Help with private color map

3. Secure Mounts without Secure NFS

4. Errors After Adding New Hard Drive

5. Looking for data on secure logins, NFS via secure RPC

6. eth0 (dhcp) cannot start so dead lock when boot

7. Secure RPC/Secure NFS for Linux?



10. Secure Secure Secure

11. Howto setup secure rpc without using nis/nis+

12. help: howto to make the machine secure!!

13. Howto secure a webserver?