Re: Secure NFS
From: Gene Yoo (firstname.lastname@example.org)
- Previous message: Gene Yoo: "Re: "It's ok we're behind a firewall""
- In reply to: Peet Grobler: "RE: Secure NFS"
- Next in thread: Barry Irwin: "Re: Secure NFS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Feb 2003 09:03:34 -0800 From: Gene Yoo <email@example.com> To: Peet Grobler <firstname.lastname@example.org>, email@example.com
Peet Grobler wrote:
> I've been wondering about this for a while now...
> Everybody knows NFS is insecure. Right. So no-one uses it. Why not simply modify NFS to use encryption? Why not?
> Not tunneling, modify the source to either (a) establish ssl connections, or (b) manually encrypt all traffic (I would prefer this
> I'd say, for added security, don't use any public-key exchange. Have a configuration file in which you can specify, say, 6 keys,
> which will dynamically be changed on-the-fly.
> If you're interested in such a solution (any one of the above), let me know. I could probably hack it together this weekend, and
> provide you with a patch. I have been meaning to do this, for the experience. I know how to do it, just never did it, since no-one
> would use it :)
> Lemme Know,
> -----Original Message-----
> From: firstname.lastname@example.org [mailto:email@example.com]
> Sent: 20 February 2003 07:17
> To: firstname.lastname@example.org
> Subject: Secure NFS
> Hello all,
> I would like to set up a secure NFS in my network. However, I really would like not to have to install portmap deamon on my server
> as I don't trust it anymore. Moreover, I would like all the network trafic to be encrypted.
> I naturally turn myself to SFS server and clients but it doesn't fit my needs. I want a secure exportable file system that I could
> add to my /etc/fstab file so it could be mounted at boot time (to store users' home directory for instance).
> I know there is a way for tunnelling NFS with SSH but it seems too experimental for production...
> So what should I do to resolve this problem ?
you should look into SFS (self-certifying file system) -> fs.org. this
topic has been out for some time and i believe you could search this
through sage or usenix dot org.
-- <<gyoo [at] attbi [dot] com>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) iQCUAwUBPhxERRxoVYCzmrKXAQJK5gP3Y7CTsFyKpEz2p5W4GWI9+qSm+kWfdJ0R xNlma0Ma9rAL/OBJcZMo5IXyXas+3Edogbv4Al6dIf8lot1WS0Iaxxl/cg2f7gf+ otf7LfNpZDE/6OzR7A1qN6baPMLSjGzywwQWMfSVuWWb6kGQxMsA13Kn68G7Ozxs 5CODZqUPyg== =AolA -----END PGP SIGNATURE-----