Secure NFS and NIS via SSH Tunnel

Secure versions of the Network File System (SNFS) and Network Information System (SNIS) have now been implemented via SSH2 tunneling of UDP datagrams, as described in the SSH FAQ. This tunneling software is available for download under the GPL License: sec_rpc-1.54.tar.gz. This is a major enhancement of the original sec_rpc package developed by Holger Trapp.

Precompiled RPMS for the i386 and alpha architectures (RedHat 7.2) are available. (You will still need to prepare /etc/hosts.allow, execute snfshost, and modify /etc/fstab, as described in README.NFS.)

  • Tunneling via SSH2 increases the security of the connection and prevents IP spoofing (Protocol 1 is also supported but Protocol 2 is more secure). It also allows NFS to be used across a firewall, for example.

  • SNFS works with both NFS version 2 and version 3.

  • NEW: Secure NIS (SNIS) has now been implemented; see README.NIS for details.

  • SNFS has been tested on Linux i386 and alpha 21164/21264 platforms under RedHat 7.1-9.0. It is also known to work under HPUX, FreeBSD, and Solaris. The configuration scripts require perl version 5.006 or later.

  • No changes to the kernel or existing daemons are required.

  • On a high-end workstation, tunneling of large files results in only a slight degradation in speed (eg. 4MB/s instead of 5MB/s).

  • Detailed configuration instructions are contained in the file README.NFS. Here is a sample config file and fstab entry for mounting the directories /usr and /home/userid from REMOTE on local.math.ualberta.ca (both of these files should reside on local.math.ualberta.ca). There is also a Troubleshooting FAQ, where you can look up error messages that result from common misconfigurations.

  • Note: some UNIX systems (eg. Solaris) have a mount command that unfortunately lacks the nfsprog and mountprog options. It is still possible to use SNFS to tunnel all of your NFS traffic through a single tunnel to a remote machine. Unmount all NFS directories, put this config file in /usr/local/etc/snfs/, change all occurances of REMOTE to the remote host name, and type something like:
    rpc_psrv -b /usr/local/etc/snfs/single
    mount -F nfs $HOST\:/remote/dir /mnt

  • Here are sample firewall rules for ipchains that permit SNFS tunneling but disable all privileged ports other than ssh (22).

    • NEW FEATURES

    See also:

  • OpenSSH patches (including user-dependent IdentifyFile security patch)

  • How to tunnel other services

  • How to set up a passwordless OpenSSH connection

  • Keychain: an OpenSSH key management utility

  • rlbackup (secure rsync- and ssh-based remote linked backup utility)

  • Kryptografisch gesicherte Datenübertragung bei NIS und NFS durch SSH-Tunneling (an article in German on SNFS/SNIS by Prof. Dr. Christian Müller)

  • Old versions

    •  visitors have accessed this page since May 10, 2001.

    HOME: http://www.math.ualberta.ca/~bowman