RE: Secure NFS

["Peet Grobler" <peetgr () absa co za>]

I've been wondering about this for a while now...

Everybody knows NFS is insecure. Right. So no-one uses it. Why not simply modify NFS to use encryption? Why not?

Not tunneling, modify the source to either (a) establish ssl connections, or (b) manually encrypt all traffic (I would 
prefer this
one).

I'd say, for added security, don't use any public-key exchange. Have a configuration file in which you can specify, 
say, 6 keys,
which will dynamically be changed on-the-fly.

If you're interested in such a solution (any one of the above), let me know. I could probably hack it together this 
weekend, and
provide you with a patch. I have been meaning to do this, for the experience. I know how to do it, just never did it, 
since no-one
would use it :)

Lemme Know,
Peet

-----Original Message-----
From: slaanesh () netcourrier com [mailto:slaanesh () netcourrier com]
Sent: 20 February 2003 07:17
To: security-basics () securityfocus com
Subject: Secure NFS


Hello all,

I would like to set up a secure NFS in my network. However, I really would like not to have to install portmap deamon 
on my server
as I don't trust it anymore. Moreover, I would like all the network trafic to be encrypted.
I naturally turn myself to SFS server and clients but it doesn't fit my needs. I want a secure exportable file system 
that I could
add to my /etc/fstab file so it could be mounted at boot time (to store users' home directory for instance).
I know there is a way for tunnelling NFS with SSH but it seems too experimental for production...

So what should I do to resolve this problem ?

Slaanesh

-------------------------------------------------------------
NetCourrier, votre bureau virtuel sur Internet : Mail, Agenda, Clubs, Toolbar...
Web/Wap : www.netcourrier.com
Téléphone/Fax : 08 92 69 00 21 (0,34 € TTC/min)
Minitel: 3615 NETCOURRIER (0,15 € TTC/min)

______________________________________________
"The information contained in this communication is confidential and
may be legally privileged.  It is intended solely for the use of the
individual or entity to whom it is addressed and others authorised to
receive it.  If you are not the intended recipient you are hereby
notified that any disclosure, copying, distribution or taking action
in reliance of the contents of this information is strictly prohibited
and may be unlawful.  Absa is liable neither for the proper, complete
transmission of the information contained in this communication, nor
for any delay in its receipt, nor for the assurance that it is
virus-free."