[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Nbd] authenticated and named exports

Hi folks,

After the 2.9.16 release a few days ago, I didn't stop coding.

I forward-ported Brad Allen's auth patch, so that it works again. I'm
not sure what to do with it; it only provides authentication, but not
integrity; I don't want to give people a false sense of security. Maybe
if people combine it with something like stunnel, or a VPN or something,
it can be entirely safe... I dunno. At any rate, there's an 'auth'
branch on sourceforge and github, you can check it out if you want.

Second, I implemented a scheme for specifying exports by name, rather
than by port. It would work by way of a -N option:

nbd-client localhost /dev/nbd0 -N myexport

In this situation, nbd-client would need to connect to nbd-server on a
well-known port (I have a request out at IANA), and would send the
string "myexport" as the name of the export; NBD-server would search for
an export with "myexport" as the group name in the config file, as in

	exportname = /dev/sda

and then serve that. Note the absense of the port number; in this
version of nbd-server, only the 'exportname' parameter is required.

I've added an 'oldstyle' boolean option for the [generic] section. If
you switch that on, then the port number is still required, and
nbd-server will export the device both on the well-known port where a
name has to be specified, and on the port you specify with the 'old'
unmodified negotiation protocol.

If you export a file on the command line, then specifying the export by
name isn't possible. It's also not possible to export a file on the
well-known port in the old style, even if you only export files on the
command line.

I'm not going to release this until IANA assigns me a port number, but
the patch is in the 'names' branch in git on sourceforge and github.

Feedback on this would be welcome.

The biometric identification system at the gates of the CIA headquarters
works because there's a guard with a large gun making sure no one is
trying to fool the system.

Reply to: