sNFS: Secure? NFS

The latest version of this set of pages can be found here.

This is a Secure user space NFS server designed to be tunneled through a firewall.

NFS is generally considerd insecure and rightly so. Use of UDP, easily guessed file handles and weak authentication are among the complaints. This implementation attempts to address these issues.

sNFS provides support for NFS over SSL. This means that:

The server is designed to be run from inetd and without a portmapper and supports UPD and plain TCP in addition to SSL.

Performance of the server is about 25% of a kernel based NFS running on the same machine. The performance of snfsc (the RPC shuffler needed for SSL and for TCP on many platforms) is even worse as it has to unpack/pack each RPC twice.

Because the server can be configured to re-export NFS mounted filesystems plus the fact that by default the server ignores non-NFS mount points, only a single mount per server need be issued on the client to access all of the server's filesystems.

INSTALLATION

Unless you are running BSD, you will need bmake and you will also need the libsslfd from SSLrsh. See install for details, but if you just do:
$ mkdir -p /usr/local/src/sjg
$ cd /usr/local/src/sjg
$ gzcat /tmp/bmake.tar.gz | tar xvf -
$ gzcat /tmp/SSLrsh.tar.gz | tar xvf -
$ gzcat /tmp/sNFS.tar.gz | tar xvf -
$ cd snfs
$ gzcat /tmp/nfs_server.tar.gz | tar xvf -
Everything will be in the right place and once you've built bmake (or installed our macros on BSD systems) you can just:
$ cd /usr/local/src/sjg
$ bmake obj
$ bmake depend
$ bmake
$ su
# bmake install

Setup

The default exports file is /usr/local/etc/exports

The following entry needs to be added to /etc/services

snfs	449/tcp
And the following in /etc/inetd.conf
snfs stream tcp nowait root /usr/local/libexec/snfsd snfsd -z ssl
of course the portnumber used can be changed to any available number and snfsd takes many more options.

The rest of the setup is quite system specific (I usually let configs take care of it). For example:

# NetBSD:
/sbin/mount_snfs -> /usr/local/libexec/snfsc
/sbin/umount_snfs -> /usr/local/libexec/snfsc
# SunOS:
/usr/etc/mount_snfs -> /usr/local/libexec/snfsc
/usr/etc/umount_snfs -> /usr/local/libexec/snfsc
# Solaris:
/usr/lib/fs/snfs/mount -> /usr/local/libexec/snfsc
/usr/lib/fs/snfs/umount -> /usr/local/libexec/snfsc
Thereafter, an entry like (NetBSD):
zen:/share /share snfs rw,intr,noauto,ssl,cert=/etc/host.cert 0 0
host.remote.site:/share /share2 snfs rw,intr,noauto,ssl,proxy=httpgw:80,cert=/etc/host.cert 0 0
is all that is needed.

See SSLrsh for details about the authentication process.

SSL

I use my own libsslfd wrapper library for Eric Young's excellent SSLeay package. Though I expect US folk could use SSLref or whatever they have to use there.

Libsslfd makes adding SSL support to things like rsh, telnet and of course RPC's very simple.

Availability

sNFS is available for purchase, see http://www.crufty.net/Products/ for details.

$Id: sNFS.html,v 1.5 2002/11/27 06:11:51 sjg Exp $
Copyright © 1997-2001 CRUFTY.NET