[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] NFS over SSH



On Wed, 2 Jun 2004, January Weiner wrote:

>   I'm desperately trying to set up a secure file sharing server.  It should
>   support both user authentification and data encryption.  It will run in a
>   non-secure LAN and provide about 15 users with their home directories.
> 
>   My first idea was to use NFS over SSH.  However, for this you need to
>   specify the ports rpc / nfs /nfslock use.  It seems that in SuSE there is
>   no way of specifying the nfslock port, is this correct?  What am I doing
>   wrong?  How to do NFS over SSH in SuSE?
> 
>   Samba would also be a possibility, however there are a couple of problems
>   with that one:
> 
>     1) problem with high UID's, we have UIDs >> 65535 and the mounted samba
>     shares do not get proper permissions

Haven't been a problem for a couple of years, as far as I can gather,
definitely shouldn't be for Samba 3.  Changed rather shortly after 
kernel 2.4 appeared supporting UiDs > 65535.  Haven't tested this 
myself, just did a quick google just now.

http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=59407

>     2) is it true that Samba does not support special files (like sockets),
>     thus rendering this file system unusable for the purpose of mounting
>     home directories to use e.g. with KDE (which needs to create sockets)?

Not true.  'Unix extension = yes' in smb.conf solves this, the problem 
with KDE is that it has odd (':' in particular) characters in filenames, 
this is solved by also setting 'mangled names = no'.  Gnome, on the
other hand, uses a file locking strategy which is broken with sambamount.
Setting an environment variable GCONF_LOCAL_LOCKS=1 for the user moves the
file locking to /tmp and makes Gnome useable, though the solution isn't
optimal.

>   Am I wrong?  What other possibilities are there?  

Someone suggested VPN, which can force the user to authenticate to get an
IP address - at which point IP security all of a sudden deserves to 
contain the word "security" in it.  

Bjørn
-- 
Bjørn Tore Sund           Phone:  (+47) 555-84894    Stupidity is like a
System administrator      Fax:    (+47) 555-89672    fractal; universal and
Math. Department          Mobile: (+47) 918 68075    infinitely repetitive.
University of Bergen      VIP:    81724
Support: system@xxxxxxxxx Contact: teknisk@xxxxxxxxx Direct: bjornts@xxxxxxxxx

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here