SysAdmin: Encrypted NFS with OpenSSH and Linux
Feb 13, 2002, 16:42 (3 Talkback[s])
(Other stories by James Strandboge)
"NFS is a widely deployed, mature, and understood
protocol that allows computers to share files over a network. The
main problems with NFS are that it relies on the inherently
insecure UDP protocol, transactions are not encrypted, hosts and
users cannot be easily authenticated, and its difficulty in
firewalling. This article provides a solution to most of these
problems for Linux clients and servers. These principles may also
be applied to any UNIX server with ssh installed. This article
assumes basic knowledge of NFS and firewalling for Linux.
First, make sure ssh is installed. Although any version of ssh
should work, testing for this article was done using OpenSSH
2.9p2-4 from Debian woody. Because ssh is installed by default in
most major Linux distributions, and easily obtainable in other UNIX
systems, installation will not be covered here. Ssh protocol
version 2 will be used in this article, however version 1 can be
used instead. To use ssh to encrypt communications, the NFS server
must be able to handle TCP requests, since ssh cannot do anything
with UDP packets at present. This is easily tested with rpcinfo -p
on the server.
FreeBSD and Solaris natively support a TCP NFS server. As of
this writing, the 2.4 Linux kernel NFS server does not, but
progress is being made toward that end. However, the Linux user
space NFS server does handle TCP, and this article was tested using
nfs-user-server 2.2beta47 from Debian woody. It is also best,
though not strictly necessary, if portmap or rpc.bind have support
for TCP Wrappers compiled in and have proxy forwarding disabled.
Wietse VenemaÕs portmap, the one shipped with all major
Linux distributions, should be set up properly."