Re: Secure NFS

From: Gene Yoo (
Date: 02/24/03

  • Next message: Chris Berry: "Re: Permissions scanner"
    Date: Mon, 24 Feb 2003 09:03:34 -0800
    From: Gene Yoo <>
    To: Peet Grobler <>,

    Peet Grobler wrote:
    > I've been wondering about this for a while now...
    > Everybody knows NFS is insecure. Right. So no-one uses it. Why not simply modify NFS to use encryption? Why not?
    > Not tunneling, modify the source to either (a) establish ssl connections, or (b) manually encrypt all traffic (I would prefer this
    > one).
    > I'd say, for added security, don't use any public-key exchange. Have a configuration file in which you can specify, say, 6 keys,
    > which will dynamically be changed on-the-fly.
    > If you're interested in such a solution (any one of the above), let me know. I could probably hack it together this weekend, and
    > provide you with a patch. I have been meaning to do this, for the experience. I know how to do it, just never did it, since no-one
    > would use it :)
    > Lemme Know,
    > Peet
    > -----Original Message-----
    > From: []
    > Sent: 20 February 2003 07:17
    > To:
    > Subject: Secure NFS
    > Hello all,
    > I would like to set up a secure NFS in my network. However, I really would like not to have to install portmap deamon on my server
    > as I don't trust it anymore. Moreover, I would like all the network trafic to be encrypted.
    > I naturally turn myself to SFS server and clients but it doesn't fit my needs. I want a secure exportable file system that I could
    > add to my /etc/fstab file so it could be mounted at boot time (to store users' home directory for instance).
    > I know there is a way for tunnelling NFS with SSH but it seems too experimental for production...
    > So what should I do to resolve this problem ?
    > Slaanesh

    you should look into SFS (self-certifying file system) -> this
    topic has been out for some time and i believe you could search this
    through sage or usenix dot org.

    <<gyoo [at] attbi [dot] com>>
    Hash: SHA1
    Version: GnuPG v1.2.0 (GNU/Linux)
    -----END PGP SIGNATURE-----