On 15 Nov 2002 00:28:00 +0200, Meir Michanie <[EMAIL PROTECTED]> wrote:
>
> One solution is using NFS over ssh.
>
> to do this you need:
>
> 1. edit /etc/exports to something like
> /home localhost(rw,root_squash,secure)
Agreed.
> 2. generate a private key for root and put it in every client machine
> (ssh requires the file to have permision --- for group and others.
> 2.1 copying the public key to .ssh/authorized-keys
NO.
2.1 create a DSA private/public keys pair for each client. save
the private key in the client ~root/.ssh/id_dsa_NFS
(with mode rw------- and the directory rwx------).
2.2 Transfer the public key to the host machine and save it in
~root/.shh/authorized_keys2 with syntax like this:
command="exec COMMAND",no-pty,permitopen="localhost:2049" ssh-dss <public-key>
Where COMMAND is some program or script that will show the current
status and allow the user to terminate but nothing else. (I have
written several scripts that is used for users who use the ssh server
machine just to connect to another machines, mostly using VNC).
I wrote the nfs port explicitly because I'm not sure that
`permitopen="localhost:nfs"' will work.
> 3. using ssh to redirect ports ssh -f -L 1234:<nfs-server>:nfs -i
> ssh/identity /bin/sleep 60
Change that to:
3. ssh -L <l-port>:localhost:2049 -i ~root/.ssh/id_dsa_NFS <NFS-server>
Your original line misses the hostname and the command is not needed
(it is dictated by the key in authorized_keys2).
> BUT!!!!!!
> this brings two other problems:
>
> 1. all connections to NFS on the server will show as from localhost.
Minor problem.
> 2. any machine able to connect with ssh is also able to mount the nfs
> drive even do you block the nfs ports. (this could open another
> discussion: How secure is to run ssh.)
It depends on your authorized_keys configuration (see above).
As a rule I change the sshd_config to NOT allow password login -
(PasswordAuthentication no). Since NFS is allowed only to root,
only the machines with root access and with correctly configured
public key can do it.
> 3. get the private key from one compromised client and you have root
> control over the net, next step would be ssh root@server -i
> compromised-key
That is not true. The intruder has already root privile for the
broken in system and all she can do is what she can do localy on
that system (she can not run anything on the NFS host directly).
> I read this article and I do not know if it works on linux.
> http://www.unet.univie.ac.at/aix/aixbman/commadmn/nfs_secure.htm
>
> SO, how do you set a roaming profile ($HOME) without compromising the
> entire network to make a walk in the park for a newbie hacker?
So it's quite secure (as secure as SSH for login).
Ehud.
--
Ehud Karni Tel: +972-3-7966-561 /"\
Mivtach - Simon Fax: +972-3-7966-667 \ / ASCII Ribbon Campaign
Insurance agencies (USA) voice mail and X Against HTML Mail
http://www.mvs.co.il FAX: 1-815-5509341 / \
mailto:[EMAIL PROTECTED] Better Safe Than Sorry
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
