On Wed, Oct 18, 2017 at 05:43:44PM -0500, Benjamin Kaduk wrote: > I fear I must wade into this thread, despite it being thick with FUD. > > On Wed, Oct 18, 2017 at 07:27:42PM +0200, WhiteWinterWolf (Simon) wrote: > > Hi Ronald, > > > > Le 18/10/2017 ? 06:00, Ronald F. Guilmette a ?crit : > > > > > > In message <49252eda-3d48-f7bc-95e7-db716db4e...@whitewinterwolf.com>, > > > "WhiteWinterWolf (Simon)" <freebsd.li...@whitewinterwolf.com> wrote: > > > > > >> Ideally, you would use a specific protection for each of these layers, > > >> so that an vulnerability affecting one layer would be compensated by > > >> other layers. > > > > > > A good point. > > > > > > Right about now, I wish that I knew one hell of a lot more about both > > > NFS and SMB than I do... and also SSH and TLS. I suspect that the > > > file sharing protocols I am most concerned about (NFS & SMB) could > > > perhaps be run in a manner such that both initial volume mounts and > > > also data blocks (to & from) the share volumes would be additionally > > > encrypted, so that I could be running everything securely, even if > > > some attacker managed to do maximally evil things to my WiFi/WPA2 > > > network. > > > > > > Do NFS and/or SMB have their own built-in encryption? > > > > No, not really. > > > > NFS has no built-in encryption, it may be possible to tunnel it but this > > is out-of-scope here (using a VPN and tunnel everything would be easier > > than nitpicking and tunnel only the NFS data flow). > > This statement is either false or highly misleading. NFS (both v3 and v4) > is an RPC protocol, and RPCSEC_GSS exists and can provide per-message > confidentiality protection. It may be true that Kerberos is basically > the only GSS-API mechanism implemented for RPCSEC_GSS, and the necessary > Kerberos setup is far more painful to set up than it needs to be, > but all modern NFS implementations support it.
More specifically, for FreeBSD a very quick search finds https://wiki.freebsd.org/KerberizedNFS which includes that you can configure an export as krb5p which encrypts the payload of RPC requests. Although the article is dated this year, "man mount_nfs" shows krb5p is documented in 10.3-RELEASE so all supported FBSD versions should implement krb5p. This is probably overkill for a home setup. Regards, Gary _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
