NFS Security / VPN setup >> [geek post]

  • Thread starter Thread starter snoopy
  • Start date Start date

snoopy

Guest
I'm currently locking down my American server with encrypted comms. I've got SSL working on mail now, SSH to replace telnet and I've disabled FTP.

What I'm after (as a replacement for FTP) is to be able to mount the root of the server to my local PC. Ideally this would be via NFS, however NFS doesn't seem to support password protect directories, therefore anyone could mount the drive, and I need it to be rw.

I'm hearing things about setting up a VPN but I'm not familiar with these. Is it this that I need to set-up and what are the standard programs for doing this in Linux?

Andrew
 
ssh is a lot more than just a replacement for telnet. You can tunnel other connections though ssh. i.e. samba (to get cifs/smb filesystem access).


google 'samba tunnel through ssh' and see how you get on.
 
Yeah looked at that, but if NFS won't handle access control it's no use. :nenau and SSH is time based, it'll close the connection after 60 mins or whatever, then I'll have to telnet in, set it back up then mount the drive...pita

[ I'm not working with windows shares so would rather avoid samba. ]

Do any of the other file systems (coda etc) support encryption and access control?
 
Script it, wouldn't take a few seconds to set up the tunnel. If the tunnel closes due to lack of activity, have another script that lists an empty dir every few minutes to emulate a keepalive.

Samba can translate ACLs between different OS's quite well.

Also as the tunnel is under the control of ssh/l it's
a) encrypted - strongly.
b) access controlled by strong encrypted password too, to set it up.
 
So to confirm...

1. set up a shared nfs folder (doesn't have to be root now)
2. firewall the nfs port to disable direct access
3. setup ssh to encrypt the nfs data and tunnel.
4. stick a password on using ssh.

I can make and run a script by using ssh telnet and actually the inactivity timer is useful.

I still want to use nfs and not samba. I take it you meant using ssh to do the password and not samba. If ssh doesn't do password access i'm stuffed...
 
Also, how easy is it to mount the nfs folder if it's going over an encrypted line?:nenau
 
snoopy said:
What I'm after (as a replacement for FTP)
Click to expand...
Why not use sftp then if you're already running an SSH server?

NFS v3 does have an ACL extension that you may be able to employ depending on your OS or you could try NFS v4 which has ACL and strong encryption though it's kind of alpha in the Linux kernel I think.

And then there's IPsec (VPN) which when it's working is smashing but a bit of a pain to set up especially if you're employing NAT at either end. I've spent a week trying to get this working in the past though I think each time it gets easier :P . Are you using the same OS at either end?
 
Both linux boxes. FTP isn't good enough now for transferring small files - been meaning to ditch it for a while.

No NFS has password protection so it's use without SSH is not possible.:nenau . Both boxes have v4 support.
 
snoopy said:
Both linux boxes. FTP isn't good enough now for transferring small files - been meaning to ditch it for a while.

No NFS has password protection so it's use without SSH is not possible.:nenau . Both boxes have v4 support.
Click to expand...
I must be out of date. I thought you could use Kerberos to authenticate mounts with v4.
 
Nippy Normans supply Touratech, Wunderlich, Desert Fox and many other makes of accessories.
You must log in or register to reply here.


Back
Top Bottom