krb5 with AUTH_SYS

[Fredrik Tolf]

On Sun, 2006-12-17 at 18:18 -0600, Zachary Kotlarek wrote:
> We're currently using NFSv3 without any security, which is working  
> fine, but without control of the entire Ethernet segment I'd really  
> like to authenticate clients on some level. I know I could do  
> something like an SSH tunnel, but that make error reporting and  
> recovery more difficult and still leaves the NFS server open to  
> attack from anyone with shell access on an NFS client machine.

You're right about error recovery (although I think you could just set
an SSH timeout and have it restart automagically by the way of a simple
bash script), but I don't believe that it would be a problem to prevent
anyone with shell access from accessing the NFS server.

If I'm not mistaken, the NFSv3 mount daemon only accepts clients on
ports < 1024, so if you restrict NFSv3 access to localhost, you are
essentially restricting it to anyone who can bind to those ports on the
local machine (root, that is). Make a little SUID root program that is
started within the SSH session, does authorization based on getuid(),
and then binds to a port <1024 and forwards the connection for the
client to the NFS server.

I know it's a bit ugly, but personally I can't think of a better way.

OTOH, maybe it would be possible to simply turn of root squelch on NFSv4
(I don't know whether that's possible), while still using Kerberos
security. That way, only clients with a Kerberos service key for NFS
could connect, right?

HTH

Fredrik Tolf