Re: Is there any encrypted or secure NFS?

To: Nano Nano <40101.nospam@comcast.net>
Cc: debian-user@lists.debian.org
Subject: Re: Is there any encrypted or secure NFS?
From: Alvin Oga <aoga@ns.Linux-Consulting.com>
Date: Sat, 3 Jan 2004 14:36:33 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1040103141707.1450A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 20040103213647.GA9844@comcast.net>


On Sat, 3 Jan 2004, Nano Nano wrote:

> On Sat, Jan 03, 2004 at 01:04:21PM -0800, Alvin Oga wrote:
> > 
> > > >>>>> "Antonio" == Antonio Rodriguez <arodriguez31@cfl.rr.com> writes:
> > > 
> > > Antonio> What would be the best route to establish an encrypted or
> > > Antonio> secure nfs session? I would like to be able to mount a faraway
> > > Antonio> (debian) machine with confidence of not being observed. Any
> > > Antonio> ideas?  Thanks.
> > 
> > use secure rpc
> > use secure portmap
> > use secure nfs
> > use scp/ssh  --> use a good hard to guess/type passphrase
> 
> Isn't it possible to mount drives with ssh, so it does the scp 
> tranparently?

regardless of method .... the basic underlying nfs structure is insecure
so you're supposed to replace the insecure portmap, rpc services with
something more secure
	http://www.linux-sec.net/FileSystem/#NFS

	- crackers can get into your box via nfs vulnerabilities
	because you have it "on" ( big problem )

	or start on another path of coda, intermezzo, afs, ...
	( more fun and tricks )

	- or even better, use an encrypted fs.. than its no longer an
	issue

regardless of method, turn off nfs when not in use and dont use
	nfs if at possible

	- automounter can umount it for you when its not in use


dumb way ... ( brute force )

	user# scp /net/remote-host/mnt/secret/secret-files.txt .
		( trivial way and works easily/fast w/ autofs )

	remote host should be setup to export /mnt/secret to "user" only

better way ...
	better way#  ssh -l user remote-host  -- and enter your pwd
		-- do  your magic
		-- your reequest for nfs is hereby denied !!


/home is probably the only that should be NFS mounted via an
automounter individually for each users home dir ...

----------------------

if you mean: ( hardway .. worst way )

localpc#  ssh  remote " mount /dev/hdc /mnt/secret ; \
		scp /mnt/secret/salaries.txt . ; umount /mnt/secret "
 
too messy ... too many assumptions ... no verification/checking 
	- you dont know that you mounted/umounted properly

	- root should never be able too ssh into another pc
	- users should never be able to mount remote filesystems

	- too many security violations

-----------

remote machine -- should automount /mnt/secret whenever certain users
	tries to access /mnt/secret/secret 

	- if security is an issue, it should never be mounted
	except for local users ... and NOT exported

----------

- turn off nfs when not in use
  ( if you use s script.... mount it before you use the remote fs )
	- if security is an issue... that script should be shot

-- if you use scp ... don't use pass phrase like "pass phrase 123"
   and dont use user passwd like "spot123"  where spot is your dog's name

	== all that easily guessable stuff makes ssh useless

	== anytime the other machine acccepts root logins w/o passwords
	because it uses keys, than the cracker has access to both machines
	without knowing any passwds


- problem is people cant seem to live w/o nfs... or dont want to do things
  a better way

c ya
alvin

Reply to:

Follow-Ups:
- Re: Is there any encrypted or secure NFS?
  - From: Antonio Rodriguez <arodriguez31@cfl.rr.com>

References:
- Re: Is there any encrypted or secure NFS?
  - From: Nano Nano <40101.nospam@comcast.net>

Prev by Date: Re: lost dhcp on boot up
Next by Date: Re: USB 2 Sony Microvault Problems
Previous by thread: Re: Is there any encrypted or secure NFS?
Next by thread: Re: Is there any encrypted or secure NFS?
Index(es):
- Date
- Thread