Urgent help with Secure NFS.
From: Jesse W. Asher (jasher@techdata.com)
Date: 04/22/03
- Previous message: Rafael.Scalize@avon.com: "SSHD on AIX 5.1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 22 Apr 2003 16:18:33 -0400 From: "Jesse W. Asher" <jasher@techdata.com> To: secureshell@securityfocus.com
Hello all! I sent the below email to someone who may be able to help
me, but I thought I'd send it to this list as well to see if anyone had
implemented the Secure NFS over SSH mentioned at
http://www.math.ualberta.ca/imaging/snfs/ If anyone has done this
successfully, I'd appreciate any pointers.
Note that I'm not tunnelling using mountprog since HP/ux doesn't seem to
have that option - I'm just attempting to tunnel all NFS traffic to the
remote NFS server.
-------- Original Message --------
I've been trying to implement Secure NFS over SSH using
your howto and I've run into a snag. I've got rpc_psrv to run and
execute rpc_plc on the NFS server.
Both systems are running HP/ux 11i. This means that I can't use the
mountprog functionality and so I'm just trying to get all NFS traffic to
be tunnelled through a firewall from the NFS client to the NFS server.
I have the following on the NFS server:
rpc_pcl -d -e pcl.log is running
Here is rpcinfo -p:
105 [<nfsserver> /var/adm]
#> rpcinfo -p
program vers proto port service
100000 4 tcp 111 rpcbind
100000 3 tcp 111 rpcbind
100000 2 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100000 3 udp 111 rpcbind
100000 2 udp 111 rpcbind
100024 1 tcp 49152 status
100024 1 udp 49158 status
100021 1 tcp 49153 nlockmgr
100021 1 udp 49159 nlockmgr
100021 3 tcp 49154 nlockmgr
100021 3 udp 49160 nlockmgr
100021 4 tcp 49155 nlockmgr
100021 4 udp 49161 nlockmgr
100020 1 udp 4045 llockmgr
100020 1 tcp 4045 llockmgr
100021 2 tcp 49156 nlockmgr
100068 2 udp 49168 cmsd
100068 3 udp 49168 cmsd
100068 4 udp 49168 cmsd
100068 5 udp 49168 cmsd
100083 1 tcp 49157 ttdbserver
805306352 1 tcp 683
100005 1 udp 49308 mountd
100005 3 udp 49308 mountd
100005 1 tcp 49181 mountd
100005 3 tcp 49181 mountd
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
On the NFS client, I have:
rpc_psrv -d -b /usr/local/etc/snfs/single
ssh -C -x -oFallBackToRsh no nfsserver rpc_pcl -d -e pcl.log
rpcinfo -p:
#> rpcinfo -p
program vers proto port service
100000 4 tcp 111 rpcbind
100000 3 tcp 111 rpcbind
100000 2 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100000 3 udp 111 rpcbind
100000 2 udp 111 rpcbind
100024 1 tcp 49152 status
100024 1 udp 49155 status
100021 1 tcp 49153 nlockmgr
100021 1 udp 49156 nlockmgr
100021 3 tcp 49154 nlockmgr
100021 3 udp 49157 nlockmgr
100021 4 tcp 49155 nlockmgr
100021 4 udp 49158 nlockmgr
100020 1 udp 4045 llockmgr
100020 1 tcp 4045 llockmgr
100021 2 tcp 49156 nlockmgr
805306352 1 tcp 718
100005 3 udp 49985 mountd
100003 3 udp 49985 nfs
My /usr/local/etc/snfs/single file looks like this:
#> cat single
#
# configuration file for rpc_psrv
#
# the port the proxy listens on
Port 0
# Fully qualified IP address the proxy listens on (default is local IP
address)
# ListenAddress nnn.nnn.nnn.nnn
# RPC services to be forwarded via UDP (change each ,3 to ,2 for NFS
Version 2)
UdpForward 100003,3:-::*:* 100005,3:100005:k:*:* 100003,3::k:-
# the id the server should run as
Id snfs
# don't use the security features. overrides InsecurePort and InsecureMsg
# Insecure no
# accept requests coming from unreserver ports
# InsecurePort no
# don't check rpc credentials or program numbers of forwarded requests
# InsecureMsg no
# use a magic value (yes or no)
# WithMagic yes
# the magic value (hex or decimal) to detect when sync is lost
# PacketMagic 0x6feeddcc
# maximum reference count per XID mapping, to avoid superfluous
retransmissions
# MaxRefCount 1
# the ID string the proxy server expects to see from the remote client
# IdString RPC Proxy Client
# quiet logging (no logging) or not
QuietMode no
# logging to syslog (yes or no)
LogToSyslog yes
# logging facility (accepts the same facilities as SSH)
# LogFacility DAEMON
# keep portmapper entries as far as possible (yes or no)
# if yes: old portmap entries are not unset before setting new ones, this
# keeps external settings (e.g. by pmap_set)
KeepPortmap yes
# reap interval in seconds (for reaping stale XID mappings)
ReapInterval 60
# the SSH command line to be executed
# 2 possibilities:
# give a Host, a TunnelCommand and a RemoteCommand. Defaults are:
# TunnelCommand ssh ssh -c blowfish -x -oFallBackToRsh\ no
# RemoteCommand rpc_pcl
# The -M arguments for rpc_pcl are added according to UdpForward
Host usclwbwd01
#RemoteCommand rpc_pcl -P -1 -e snfs-HOST-100005.log
# Use this command line for a production environment:
#SshCommand ssh ssh -c blowfish -x -oFallBackToRsh\ no nfsserver
rpc_pcl -P -1
#SshCommand ssh ssh -c blowfish -x -oFallBackToRsh\ no nfsserver rpc_pcl
# Replace the above command with this one to generate a remote debugging log
# in /var/log/rpc_pcl
SshCommand ssh ssh -C -x -oFallBackToRsh\ no nfsserver rpc_pcl -d -e
pcl.log
# NOTE: The arguments of SshCommand are used in execvp():
# the first argument is the file to be executed, the second one is
# argv[0], etc. Whitespace delimits words; backslash quotes the
# next character.
What happens when I try to do a "mount -F nfs nfsserver:/usr/trans
/usr/trans" I get portmapper packets going directly to
nfsserver on port 111 rather than the packets going over the SSH
tunnel. Since there is a firewall, it stops the packets to port 111
and a connection is never established. Do you have ideas to to what
could be causing this? I would appreciate any asistance you can
provide. I'm up against a deadline and I'm trying to get this thing
working. Thanks again and thanks for all the effort!
- Previous message: Rafael.Scalize@avon.com: "SSHD on AIX 5.1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
