sNFS: Secure? NFS

The latest version of this set of pages can be found here.

This is a Secure user space NFS server designed to be tunneled through a firewall.

NFS is generally considerd insecure and rightly so. Use of UDP, easily guessed file handles and weak authentication are among the complaints. This implementation attempts to address these issues.

sNFS provides support for NFS over SSL. This means that:

The NFS traffic is encrypted with all that that implies.
Mount authentication is via X.509 certificate. This allows quite strong authentication of mount requests, while being able to automagically recover from a server reset - an anoying problem with the previous release when using challenge/response authenticion.
You no longer need the TIS fwtk for authentication.
You can safely mount sNFS filesystems from beyond your firewall - provided your HTTP proxy allows connections to the port the remote sNFS server is using. Don't expect high throughput though.

The server is designed to be run from inetd and without a portmapper and supports UPD and plain TCP in addition to SSL.

Performance of the server is about 25% of a kernel based NFS running on the same machine. The performance of snfsc (the RPC shuffler needed for SSL and for TCP on many platforms) is even worse as it has to unpack/pack each RPC twice.

Because the server can be configured to re-export NFS mounted filesystems plus the fact that by default the server ignores non-NFS mount points, only a single mount per server need be issued on the client to access all of the server's filesystems.

INSTALLATION

Unless you are running BSD, you will need bmake and you will also need the libsslfd from SSLrsh. See install for details, but if you just do:

$ mkdir -p /usr/local/src/sjg
$ cd /usr/local/src/sjg
$ gzcat /tmp/bmake.tar.gz | tar xvf -
$ gzcat /tmp/SSLrsh.tar.gz | tar xvf -
$ gzcat /tmp/sNFS.tar.gz | tar xvf -
$ cd snfs
$ gzcat /tmp/nfs_server.tar.gz | tar xvf -

Everything will be in the right place and once you've built bmake (or installed our macros on BSD systems) you can just:

$ cd /usr/local/src/sjg
$ bmake obj
$ bmake depend
$ bmake
$ su
# bmake install

Setup

The default exports file is /usr/local/etc/exports

The following entry needs to be added to /etc/services

snfs	449/tcp

And the following in /etc/inetd.conf

snfs stream tcp nowait root /usr/local/libexec/snfsd snfsd -z ssl

of course the portnumber used can be changed to any available number and snfsd takes many more options.

The rest of the setup is quite system specific (I usually let configs take care of it). For example:

# NetBSD:
/sbin/mount_snfs -> /usr/local/libexec/snfsc
/sbin/umount_snfs -> /usr/local/libexec/snfsc
# SunOS:
/usr/etc/mount_snfs -> /usr/local/libexec/snfsc
/usr/etc/umount_snfs -> /usr/local/libexec/snfsc
# Solaris:
/usr/lib/fs/snfs/mount -> /usr/local/libexec/snfsc
/usr/lib/fs/snfs/umount -> /usr/local/libexec/snfsc

Thereafter, an entry like (NetBSD):

zen:/share /share snfs rw,intr,noauto,ssl,cert=/etc/host.cert 0 0
host.remote.site:/share /share2 snfs rw,intr,noauto,ssl,proxy=httpgw:80,cert=/etc/host.cert 0 0

is all that is needed.

See SSLrsh for details about the authentication process.

SSL

I use my own libsslfd wrapper library for Eric Young's excellent SSLeay package. Though I expect US folk could use SSLref or whatever they have to use there.

Libsslfd makes adding SSL support to things like rsh, telnet and of course RPC's very simple.

Availability

sNFS is available for purchase, see http://www.crufty.net/Products/ for details.