Secure NFS and NIS via SSH Tunnel
Secure versions of the Network File System (SNFS) and Network Information
System (SNIS) have now been implemented via SSH2 tunneling of UDP
datagrams, as described in the SSH FAQ. This tunneling
software is available for download under the GPL License:
sec_rpc-1.54.tar.gz. This is a major
enhancement of the
sec_rpc package developed by Holger Trapp.
Precompiled RPMS for the i386 and alpha architectures
(RedHat 7.2) are available. (You will still need to prepare
/etc/hosts.allow, execute snfshost, and modify /etc/fstab, as described in
Tunneling via SSH2 increases the security of the connection and prevents
IP spoofing (Protocol 1 is also supported but Protocol 2 is more secure).
It also allows NFS to be used across a firewall, for example.
SNFS works with both NFS version 2 and version 3.
Secure NIS (SNIS) has now been implemented; see
README.NIS for details.
SNFS has been tested on Linux i386 and alpha 21164/21264 platforms under
RedHat 7.1-9.0. It is also known to work under HPUX, FreeBSD, and
Solaris. The configuration scripts require perl version 5.006 or later.
No changes to the kernel or existing daemons are required.
On a high-end workstation, tunneling of large files results in only a slight
degradation in speed (eg. 4MB/s instead of 5MB/s).
Detailed configuration instructions are contained in the file
README.NFS. Here is a sample
config file and fstab entry
for mounting the directories /usr and /home/userid from REMOTE
on local.math.ualberta.ca (both of these files should reside on
local.math.ualberta.ca). There is also a
Troubleshooting FAQ, where you can look up error messages
that result from common misconfigurations.
Note: some UNIX systems (eg. Solaris) have a mount command that
unfortunately lacks the nfsprog and mountprog options. It is still possible
to use SNFS to tunnel all of your NFS traffic through a single
tunnel to a remote machine. Unmount all NFS directories, put this
config file in /usr/local/etc/snfs/, change
all occurances of REMOTE to the remote host name, and type something like:
rpc_psrv -b /usr/local/etc/snfs/single
mount -F nfs $HOST\:/remote/dir /mnt
Here are sample firewall rules for ipchains that
permit SNFS tunneling but disable all privileged ports other than ssh (22).
OpenSSH patches (including user-dependent IdentifyFile security patch)
How to tunnel other services
How to set up a passwordless OpenSSH connection
Keychain: an OpenSSH key management utility
rlbackup (secure rsync- and ssh-based remote linked backup utility)
Kryptografisch gesicherte Datenübertragung bei NIS und NFS durch
SSH-Tunneling (an article in German on SNFS/SNIS by Prof. Dr. Christian
visitors have accessed this page since May 10, 2001.