Re: NFS over SSH
From: Jason Stone (jason-fbsd-security@shalott.net)
Date: 11/26/02
- Next message: Dmitry Agafonov: "two questions on syslog"
- Previous message: Erick Mechler: "Re: NFS over SSH"
- Maybe in reply to: Jan Lentfer: "NFS over SSH"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 25 Nov 2002 16:03:22 -0800 (PST) From: Jason Stone <jason-fbsd-security@shalott.net> To: <security@freebsd.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> I want to tunnel NFS with SSH for hosts not on my internal network.
> Are there any how-to's available on this topic?
This is fairly unpleasant, what with the use of the portmapper, udp, and
servers (usually) requiring priveleged ports.
If you control both the clients and the servers, check out SFS instead -
it's basically NFS over a single tcp port (so packet filtering and
tunneling are easy), with builtin crypto, and a magic uid-translation
layer, so that uids don't have to be consistent across clients and
servers.
cat /usr/ports/security/sfs/pkg-descr
WWW: http://www.fs.net/
SFS (Self-Certifying File System) is a secure, global file system
with completely decentralized control. SFS lets you access your
files from anywhere and share them with anyone, anywhere. Anyone
can set up an SFS server, and any user can access any server from
any client. SFS lets you share files across administrative realms
without involving administrators or certification authorities.
SFS names file systems by public keys. Every remote file server is
mounted on a self-certifying pathname -- a directory of the form
/sfs/LOCATION:HOSTID, where LOCATION is a DNS hostname and HOSTID
is a cryptographic hash of a public key. This naming scheme allows
for completely decentralized control -- anyone can create a file
server, and any user can access any file server from any client.
Various key management schemes can be built on top of SFS using
symbolic links to map human-readable names to self-certifying
pathnames.
-Jason
-----------------------------------------------------------------------
I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry
that 10 or 15 years from now, she will come to me and say "Daddy, where
were you when they took freedom of the press away from the Internet?"
-- Mike Godwin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg
iD8DBQE94rpLswXMWWtptckRAgf8AKCVhCYi+bRnqvAbSUVHVHqFXFwQ8ACeISyH
H8yxixmbScilt5gMWF/tQ6Y=
=Tbje
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Dmitry Agafonov: "two questions on syslog"
- Previous message: Erick Mechler: "Re: NFS over SSH"
- Maybe in reply to: Jan Lentfer: "NFS over SSH"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
