Re: Secure Network File System - Or Lack Thereof
Hello again, On 17/07/07, J.C. Roberts [EMAIL PROTECTED] wrote: It is possible. How to configure the mount port is in the man page for mount_nfs(8). Yes there are 2 ports needed as far as i can see: 1) nfsd port 2) mountd port I'm unsure which the man page is describing. -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
Re: Secure Network File System - Or Lack Thereof
On Wednesday 18 July 2007, Edd Barrett wrote: Hello again, On 17/07/07, J.C. Roberts [EMAIL PROTECTED] wrote: It is possible. How to configure the mount port is in the man page for mount_nfs(8). Yes there are 2 ports needed as far as i can see: 1) nfsd port 2) mountd port I'm unsure which the man page is describing. I think you're a bit confused. Neither nfsd nor mountd will let you configure to a specific port. Their man pages state as much. In contrast, mount_nfs(8) is the man page which states you have port control from the client side. To get the general concept of NFSv3 over SSH, read the May 9th entry of the previously posted link: http://www.noahk.com/~sparrow/journal/index?user=noahk Some of the things he's doing seem questionable... There are differences between his setup (FreeBSD/Liux) and OpenBSD, so if you try to run his commands verbatim (as a how to) they will fail. You'll only understand the differences if you read the relevant OpenBSD man pages: man 8 mount_nfs man 8 mountd (see the STRONGLY discouraged note on the -n option) man 8 nfsd man 5 exports man 8 portmap man 8 rpcinfo man 8 sshd man 1 ssh Take a look at the last few sentences of the SSH-BASED VIRTUAL PRIVATE NETWORKS section of the ssh(1) man page... Tunneling the stock NFSv3 over SSH will most likely face similar performance/overhead issues. NFS over SSH can be done, but most would consider it wonky for personal mad hackery, and no one in their right mind would never expect *END*USERS* to ever get it right. It might be fun to tinker with and it may even be useful for you on a personal basis but never forget the fact that you're pushing rope. Current best practice for this sort of thing in production would be an ipsec vpn (usually with centralized authentication like kerberos or similar). Eventually kerberos/NFSv4 will become a viable solution for *just* secure network file systems and should be a usable comparatively lightweight alternative to a full vpn (or wonky ssh/nfs rope pushing exercises). kind regards, jcr
Re: Secure Network File System - Or Lack Thereof
On 2007/07/18 12:56, J.C. Roberts wrote: NFS over SSH can be done, but most would consider it wonky for personal mad hackery, and no one in their right mind would never expect *END*USERS* to ever get it right. Possibly, with tun forwarding. Current best practice for this sort of thing in production would be an ipsec vpn This is *way easier* than it sounds if you only have OpenBSD 3.8+ systems acting as tunnel gateways (or connecting directly of course), and is otherwise often not too bad. Windows is pretty easy if you use TheGreenBow, which is a port of an older OpenBSD isakmpd - their config export/import format is mostly documented in isakmpd.conf(5). At least the VPN side...
Re: Secure Network File System - Or Lack Thereof
On Sunday 15 July 2007, Edd Barrett wrote: Hi, Also AFS is i386 only. -- Best Regards Edd Hi Edd, I was curious if you ever found a decent answer for your question on secure network file systems? The only way I can think of doing it is kerberos and NFSv4. http://mailman.theapt.org/listinfo/openbsd-nfsv4 http://mailman.theapt.org/pipermail/openbsd-nfsv4/2007-January/88.html You might want to ask Peter Hessler (SFOBUG President For Life) or Rick MacKlem (NFSv4 guru). I've cc'd both of them. Also, I noticed your work on TeXLive on ports@ and think you deserve more than a few kudos for it. I even checked out your homepage and porting guide (texlive_port_doc-20070623.pdf). Pg. 11 OpenBSD already has a texi2html package in the ports tree, so do not build it. texinfo is not built because the old teTeX package did not build it. I do not know the reason for this. Some of the mystery may be solved by realizing we have some TeX utilities already in the base system, in particular, texinfo(5) and makeinfo(1) (/usr/src/gnu/usr.bin/texinfo). The texi2html package/port is somewhat redundant since makeinfo(1) is already there and it supports HTML output. Note: there's a few problems with the XML output of makeinfo(1) that kili@ recently resolved but at the moment, the patches have not been committed (see bugs@ system/5518). You'd have better chances of dividing by zero than getting any useful information out of me about (Le)TeX. I've never studied it, and don't use it, but I must say, I've always been curious about it. kind regards, JCR
Re: Secure Network File System - Or Lack Thereof
HI, On 17/07/07, J.C. Roberts [EMAIL PROTECTED] wrote: Hi Edd, I was curious if you ever found a decent answer for your question on secure network file systems? Not really. I have signed up for free academic licenses of sharity (not light), as sharity-light seemed to be sketchy on file permissions last time i tried it. It will do for now, but in a business situation it would be a VERY expensive solution. At least it has authentication. Linux has some userland SSH mounting facilities, it appears we have no equivalent. I have looked at forwarding the NFS/NIS over a ssh tunnel (ssh -L), but i do not see an option for mount_nfs that allows you to specify the mountd port, so this is not possible. I have looked into ipsec, but it seems overly complex and overkill for my situation. I thought that perhaps the OpenBSD developers might have been interested in some sort of OpenSNFS project for example as there is no decent solution, and they did such a great job on OpenBSD/OpenSSH. Thanks for that guys. Also, I noticed your work on TeXLive on ports@ and think you deserve more than a few kudos for it. I even checked out your homepage and porting guide (texlive_port_doc-20070623.pdf). Great, I'm glad people are appreciating my struggle :P I wrote the documentation so that I can remember how to do it next year when 2008 comes out. Documentation is important, I believe. Some of the mystery may be solved by realizing we have some TeX utilities already in the base system, in particular, texinfo(5) and makeinfo(1) (/usr/src/gnu/usr.bin/texinfo). The texi2html package/port is somewhat redundant since makeinfo(1) is already there and it supports HTML output. Note: there's a few problems with the XML output of makeinfo(1) that kili@ recently resolved but at the moment, the patches have not been committed (see bugs@ system/5518). I see! I'll add that into the doc! You'd have better chances of dividing by zero than getting any useful information out of me about (Le)TeX. I've never studied it, and don't use it, but I must say, I've always been curious about it. Well if you wish to get started with it, drop me a private email and I can suggest some reading materials and websites. Theres a whole lot more to texlive than just latex (context, xetex, xmlex.. the list goes on), but its not really suitable on the openbsd mailing lists :) Take care and thanks PS: Who's that on CC? -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
Re: Secure Network File System - Or Lack Thereof
I was curious if you ever found a decent answer for your question on secure network file systems? The only way I can think of doing it is kerberos and NFSv4. http://mailman.theapt.org/listinfo/openbsd-nfsv4 http://mailman.theapt.org/pipermail/openbsd-nfsv4/2007-January/88.html I didn't see the original post, so I can't say if it is appropriate to your needs, but you can grab it from: ftp.cis.uoguelph.ca/pub/nfsv4 - anonymous ftp or look at the web page http://snowhite.cis.uoguelph.ca/nfsv4 There is a mailing list on sfobug, but it has very little traffic, mostly just posts by me about patches, etc. Good luck with whatever you choose, rick
Re: Secure Network File System - Or Lack Thereof
On Tuesday 17 July 2007, Edd Barrett wrote: HI, On 17/07/07, J.C. Roberts [EMAIL PROTECTED] wrote: Hi Edd, I was curious if you ever found a decent answer for your question on secure network file systems? Not really. I have signed up for free academic licenses of sharity (not light), as sharity-light seemed to be sketchy on file permissions last time i tried it. It will do for now, but in a business situation it would be a VERY expensive solution. At least it has authentication. Linux has some userland SSH mounting facilities, it appears we have no equivalent. I have looked at forwarding the NFS/NIS over a ssh tunnel (ssh -L), but i do not see an option for mount_nfs that allows you to specify the mountd port, so this is not possible. It is possible. How to configure the mount port is in the man page for mount_nfs(8). Each of the various mount_* commands have their own man pages with relevant info for the specific file systems (as noted in the mount(8) man page). You can expect a performance hit for forcing a mixed transport layer protocol (UDP and TCP) like NFS to only use TCP but on the bright side, if portions of your university network are wireless (i.e. packet loss), you're probably better off with TCP anyhow. These guys run NFS over SSH in a mixed environment: http://www.noahk.com/~sparrow/journal/index?user=noahk But there are probably better ways to do it. I have looked into ipsec, but it seems overly complex and overkill for my situation. As for using ipsec, well, the most fair thing I could say is IPSec always looks like overkill. I would never call it easy (although some work is being done to simplify it), but once you get past the learning curve, ipsec VPN's work very well. None the less, your question somewhat implied *not* creating a VPN. I thought that perhaps the OpenBSD developers might have been interested in some sort of OpenSNFS project for example as there is no decent solution, and they did such a great job on OpenBSD/OpenSSH. Thanks for that guys. More than one solution already exists but none of them are simple and all of them have a learning curve. Your question stated a secure network file system and work on such a beast is currently being done... -it's called NFSv4. ;-) http://www.ietf.org/rfc/rfc3530.txt Abstract: The Network File System (NFS) version 4 is a distributed filesystem protocol which owes heritage to NFS protocol version 2, RFC 1094, and version 3, RFC 1813. Unlike earlier versions, the NFS version 4 protocol supports traditional file access while integrating support for file locking and the mount protocol. In addition, support for strong security (and its negotiation), compound operations, client caching, and internationalization have been added. Of course, attention has been applied to making NFS version 4 operate well in an Internet environment. You'd have better chances of dividing by zero than getting any useful information out of me about (Le)TeX. I've never studied it, and don't use it, but I must say, I've always been curious about it. Well if you wish to get started with it, drop me a private email and I can suggest some reading materials and websites. Theres a whole lot more to texlive than just latex (context, xetex, xmlex.. the list goes on), but its not really suitable on the openbsd mailing lists :) Please send them off list :-) PS: Who's that on CC? I'm not a fan of NIS, and since NFSv4 has support for kerberos (and other interesting goodies), cc'ing two of the guys who are working on NFSv4 for openbsd seemed wise (see links in previous post). They are in a much better position than me to tell you what NFSv4 can and can not do. kind regards, JCR
Secure Network File System - Or Lack Thereof
Not sure what you were originally after but I came across this the other day http://fuse.sourceforge.net/sshfs.html - Linden. J.C. Roberts wrote: On Tuesday 17 July 2007, Edd Barrett wrote: HI, On 17/07/07, J.C. Roberts [EMAIL PROTECTED] wrote: Hi Edd, I was curious if you ever found a decent answer for your question on secure network file systems? Not really. I have signed up for free academic licenses of sharity (not light), as sharity-light seemed to be sketchy on file permissions last time i tried it. It will do for now, but in a business situation it would be a VERY expensive solution. At least it has authentication. Linux has some userland SSH mounting facilities, it appears we have no equivalent. I have looked at forwarding the NFS/NIS over a ssh tunnel (ssh -L), but i do not see an option for mount_nfs that allows you to specify the mountd port, so this is not possible. It is possible. How to configure the mount port is in the man page for mount_nfs(8). Each of the various mount_* commands have their own man pages with relevant info for the specific file systems (as noted in the mount(8) man page). You can expect a performance hit for forcing a mixed transport layer protocol (UDP and TCP) like NFS to only use TCP but on the bright side, if portions of your university network are wireless (i.e. packet loss), you're probably better off with TCP anyhow. These guys run NFS over SSH in a mixed environment: http://www.noahk.com/~sparrow/journal/index?user=noahk But there are probably better ways to do it. I have looked into ipsec, but it seems overly complex and overkill for my situation. As for using ipsec, well, the most fair thing I could say is IPSec always looks like overkill. I would never call it easy (although some work is being done to simplify it), but once you get past the learning curve, ipsec VPN's work very well. None the less, your question somewhat implied *not* creating a VPN. I thought that perhaps the OpenBSD developers might have been interested in some sort of OpenSNFS project for example as there is no decent solution, and they did such a great job on OpenBSD/OpenSSH. Thanks for that guys. More than one solution already exists but none of them are simple and all of them have a learning curve. Your question stated a secure network file system and work on such a beast is currently being done... -it's called NFSv4. ;-) http://www.ietf.org/rfc/rfc3530.txt Abstract: The Network File System (NFS) version 4 is a distributed filesystem protocol which owes heritage to NFS protocol version 2, RFC 1094, and version 3, RFC 1813. Unlike earlier versions, the NFS version 4 protocol supports traditional file access while integrating support for file locking and the mount protocol. In addition, support for strong security (and its negotiation), compound operations, client caching, and internationalization have been added. Of course, attention has been applied to making NFS version 4 operate well in an Internet environment. You'd have better chances of dividing by zero than getting any useful information out of me about (Le)TeX. I've never studied it, and don't use it, but I must say, I've always been curious about it. Well if you wish to get started with it, drop me a private email and I can suggest some reading materials and websites. Theres a whole lot more to texlive than just latex (context, xetex, xmlex.. the list goes on), but its not really suitable on the openbsd mailing lists :) Please send them off list :-) PS: Who's that on CC? I'm not a fan of NIS, and since NFSv4 has support for kerberos (and other interesting goodies), cc'ing two of the guys who are working on NFSv4 for openbsd seemed wise (see links in previous post). They are in a much better position than me to tell you what NFSv4 can and can not do. kind regards, JCR
Re: Secure Network File System - Or Lack Thereof
Hi, Also AFS is i386 only. -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
Re: Secure Network File System - Or Lack Thereof
Hi, On 14/07/07, Markus Lude [EMAIL PROTECTED] wrote: Whats your problem with AFS? It's not in base. -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
Re: Secure Network File System - Or Lack Thereof
2007/7/14, Edd Barrett [EMAIL PROTECTED]: Hi, On 14/07/07, Markus Lude [EMAIL PROTECTED] wrote: Whats your problem with AFS? It's not in base. man -k afs seems to say that AFS is in base, using ARLA implementation. (and OpenAFS is in ports) Landry
Re: Secure Network File System - Or Lack Thereof
On Sat, 14 Jul 2007, Landry Breuil wrote: man -k afs seems to say that AFS is in base, using ARLA implementation. (and OpenAFS is in ports) Only the Arla _client_ is in base. -- Antoine
Re: Secure Network File System - Or Lack Thereof
On Sat, Jul 14, 2007 at 02:41:40PM +0200, Landry Breuil wrote:
man -k afs seems to say that AFS is in base, using ARLA
implementation.
This is true, but ARLA doesn't have a production server
implementation available. The AFS client is great (and obviously)
interoperates with OpenAFS servers).
(and OpenAFS is in ports)
This port is a bit broken, IIRC, and out of date. I spent a week or
two a few months ago trying to update the port, but it's
non-trivial. It would be great to update it, but I wasn't really
making progress.
--
o--{ Will Maier }--o
| web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
*--[ BSD Unix: Live Free or Die ]--*
Secure Network File System - Or Lack Thereof
Hi, I'm sure this has already been discussed in some manner, but I do not know under which search term. Sorry for duplication. I have been setting up NIS for the University I work for, and it shocks me just how insecure the whole affair is. What a mess. Has the OpenBSD project considered writing a distributed filesystem that can atleast replace NFS in a NIS setup? And I am not talking about AFS. OpenBSD has some of the best crypto hackers out there! I'm sure it would be a good project. Can the SSH cypto be crafted into some form of network filesystem? End rant. Have a good weekend all. -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
