This is a Secure user space NFS server designed to be tunneled through a firewall.
NFS is generally considerd insecure and rightly so. Use of UDP, easily guessed file handles and weak authentication are among the complaints. This implementation attempts to address these issues.
sNFS provides support for NFS over SSL. This means that:
Performance of the server is about 25% of a kernel based NFS running on the same machine. The performance of snfsc (the RPC shuffler needed for SSL and for TCP on many platforms) is even worse as it has to unpack/pack each RPC twice.
Because the server can be configured to re-export NFS mounted filesystems plus the fact that by default the server ignores non-NFS mount points, only a single mount per server need be issued on the client to access all of the server's filesystems.
$ mkdir -p /usr/local/src/sjg $ cd /usr/local/src/sjg $ gzcat /tmp/bmake.tar.gz | tar xvf - $ gzcat /tmp/SSLrsh.tar.gz | tar xvf - $ gzcat /tmp/sNFS.tar.gz | tar xvf - $ cd snfs $ gzcat /tmp/nfs_server.tar.gz | tar xvf -Everything will be in the right place and once you've built bmake (or installed our macros on BSD systems) you can just:
$ cd /usr/local/src/sjg $ bmake obj $ bmake depend $ bmake $ su # bmake install
The following entry needs to be added to /etc/services
snfs 449/tcpAnd the following in /etc/inetd.conf
snfs stream tcp nowait root /usr/local/libexec/snfsd snfsd -z sslof course the portnumber used can be changed to any available number and snfsd takes many more options.
The rest of the setup is quite system specific (I usually let configs take care of it). For example:
# NetBSD: /sbin/mount_snfs -> /usr/local/libexec/snfsc /sbin/umount_snfs -> /usr/local/libexec/snfsc # SunOS: /usr/etc/mount_snfs -> /usr/local/libexec/snfsc /usr/etc/umount_snfs -> /usr/local/libexec/snfsc # Solaris: /usr/lib/fs/snfs/mount -> /usr/local/libexec/snfsc /usr/lib/fs/snfs/umount -> /usr/local/libexec/snfscThereafter, an entry like (NetBSD):
zen:/share /share snfs rw,intr,noauto,ssl,cert=/etc/host.cert 0 0 host.remote.site:/share /share2 snfs rw,intr,noauto,ssl,proxy=httpgw:80,cert=/etc/host.cert 0 0is all that is needed.
See SSLrsh for details about the authentication process.
Libsslfd makes adding SSL support to things like rsh, telnet and of course RPC's very simple.