On Tuesday 17 July 2007, Edd Barrett wrote: > HI, > > On 17/07/07, J.C. Roberts <[EMAIL PROTECTED]> wrote: > > Hi Edd, > > > > I was curious if you ever found a decent answer for your question > > on secure network file systems? > > Not really. I have signed up for free academic licenses of sharity > (not light), as sharity-light seemed to be sketchy on file > permissions last time i tried it. It will do for now, but in a > business situation it would be a VERY expensive solution. At least it > has authentication. > > Linux has some userland SSH mounting facilities, it appears we have > no equivalent. > > I have looked at forwarding the NFS/NIS over a ssh tunnel (ssh -L), > but i do not see an option for mount_nfs that allows you to specify > the mountd port, so this is not possible. >
It is possible. How to configure the mount port is in the man page for mount_nfs(8). Each of the various mount_* commands have their own man pages with relevant info for the specific file systems (as noted in the mount(8) man page). You can expect a performance hit for forcing a mixed transport layer protocol (UDP and TCP) like NFS to only use TCP but on the bright side, if portions of your university network are wireless (i.e. packet loss), you're probably better off with TCP anyhow. These guys run NFS over SSH in a mixed environment: http://www.noahk.com/~sparrow/journal/index?user=noahk But there are probably better ways to do it. > I have looked into ipsec, but it seems overly complex and overkill > for my situation. > As for using ipsec, well, the most fair thing I could say is "IPSec always looks like overkill." I would never call it easy (although some work is being done to simplify it), but once you get past the learning curve, ipsec VPN's work very well. None the less, your question somewhat implied *not* creating a VPN. > I thought that perhaps the OpenBSD developers might have been > interested in some sort of "OpenSNFS" project for example as there is > no decent solution, and they did such a great job on OpenBSD/OpenSSH. > Thanks for that guys. > More than one solution already exists but none of them are simple and all of them have a learning curve. Your question stated a "secure network file system" and work on such a beast is currently being done... -it's called NFSv4. ;-) http://www.ietf.org/rfc/rfc3530.txt Abstract: The Network File System (NFS) version 4 is a distributed filesystem protocol which owes heritage to NFS protocol version 2, RFC 1094, and version 3, RFC 1813. Unlike earlier versions, the NFS version 4 protocol supports traditional file access while integrating support for file locking and the mount protocol. In addition, support for strong security (and its negotiation), compound operations, client caching, and internationalization have been added. Of course, attention has been applied to making NFS version 4 operate well in an Internet environment. > > You'd have better chances of dividing by zero than getting any > > useful information out of me about (Le)TeX. I've never studied it, > > and don't use it, but I must say, I've always been curious about > > it. > > Well if you wish to get started with it, drop me a private email and > I can suggest some reading materials and websites. Theres a whole lot > more to texlive than just latex (context, xetex, xmlex.. the list > goes on), but its not really suitable on the openbsd mailing lists :) > Please send them off list :-) > > PS: Who's that on CC? I'm not a fan of NIS, and since NFSv4 has support for kerberos (and other interesting goodies), cc'ing two of the guys who are working on NFSv4 for openbsd seemed wise (see links in previous post). They are in a much better position than me to tell you what NFSv4 can and can not do. kind regards, JCR