networked file systems

I'm hoping to find a way for users of my systems to log in normally, and
transparently to them, be presented with the same home directory on every
machine, same working files, dotfiles, etc. This needs to be available
outside my network as well, so the data must be encrypted as it travels over
the wire.

To that end, I had hoped to centralize the files, and automount home
directories.

I'm in the process of setting up an LDAP authorization and Kerberos
authentication severs now.

However, I've run into a couple of snags.

First is choosing the filesystem. I'd really love to pick NFS, but since
I'm running in a sometimes distributed environment, and NFS to my knowledge
sends data over the wire in the clear, that's not an option.

I'm trying to figure out what exactly NFSv4 specifies. I see that Kerberos
authentication is included, and I see some statements about a Kerberos
Security Triple in the RFS (3530, i think) that mention total privacy as an
option. Does this refer to encrypting the NFS network traffic? If so, has
this been implemented?

I was going to choose AFS as a filesystem, but recently have been troubled
by a couple things.
1) Performance issues - on a fast computer, directly connected to the file
server, will AFS likely become the bottleneck?

2) Security issues - I was under the impression that AFS encrypted files as
they were sent over the network, but just ran across a couple of pages on
SFS that claim it does not. True, not true?

Are there other well-supported filesystems I should be looking at?


The other question I have is about automounting - if I'm planning to
implement LDAP/NSS/Kerberos, is there an easy way to do this? The
explanations I see (i've only found a couple good ones) use hesiod, and I'm
trying to figure out if that's really necessary. Seems like I could just
use autofs. However, this presents a bit of a detail problem in figuring
out how two users, logged in at the same time, could both access their home
directories. Because I need to support sharing of users' files, I suppose
the logical answer would be to mount the entire /home when a user logs in
with appropriate Kerberos credentials. Thoughts?



Thanks for the help...

On Fri, 04 Feb 2005 17:06:28 +0000, Luke wrote:

>
> I'm hoping to find a way for users of my systems to log in normally, and
> transparently to them, be presented with the same home directory on every
> machine, same working files, dotfiles, etc. This needs to be available
> outside my network as well, so the data must be encrypted as it travels over
> the wire.

You really need to be looking at a VPN, rather than trying to expose your
file servers to the web....

I run vtun, a simple, lightweight VPN. Its main drawback is that it is
linux/bsd only.... I struggled mightily with ipsec, but never could get
it to interoperate. PPTP is OK if you must connect windows; I don't know
if WinXP even supports pptp anymore...

Once you have the VPN up and secure, you can stuff anything down the wire
you want, including NFS.

I'd start worrying about the bandwidth, though. You're going to need gobs
and gobs...

On 2005-02-04, Captain Dondo <(E-Mail Removed)> wrote:
> On Fri, 04 Feb 2005 17:06:28 +0000, Luke wrote:
>
>>
>> I'm hoping to find a way for users of my systems to log in normally, and
>> transparently to them, be presented with the same home directory on every
>> machine, same working files, dotfiles, etc. This needs to be available
>> outside my network as well, so the data must be encrypted as it travels over
>> the wire.
>
> You really need to be looking at a VPN, rather than trying to expose your
> file servers to the web....
>
> I run vtun, a simple, lightweight VPN. Its main drawback is that it is
> linux/bsd only.... I struggled mightily with ipsec, but never could get
> it to interoperate. PPTP is OK if you must connect windows; I don't know
> if WinXP even supports pptp anymore...
>
> Once you have the VPN up and secure, you can stuff anything down the wire
> you want, including NFS.

What I didn't mention in my first post, and should have, is that a
critically important part of this to me is that user should have to do
absolutely nothing to have their home dir mounted, their files waiting for
them, etc. I'm not really sure how I would do this with a VPN. Is it
possible to authenticate a user via kerberos (the kerberos ticket will be
automatically granted via PAM anyway)? I've heard that can work with
IPSEC, but have found precisely zero docs describing how to do it. So
perhaps I could setup an IPSEC link automagically on login, and then
automount my NFS stuff?

Frankly, if I can figure out a way to automate everything, this does seem
like a better solution - i just don't know enough myself to automate
mounting home directories via NFS over VPN. Thoughts?

> I'd start worrying about the bandwidth, though. You're going to need gobs
> and gobs...

Yeah, I know. I'm hoping not too much, though - almost all files used are
very very small.

On Fri, 04 Feb 2005 17:36:49 +0000, Luke wrote:


>
> Frankly, if I can figure out a way to automate everything, this does seem
> like a better solution - i just don't know enough myself to automate
> mounting home directories via NFS over VPN. Thoughts?

Well, at least with vtun, it's automagic. I start vtun from inittab; if
and when it connects it automatically sets up the correct routes.

So, for your mythical laptop user, when on the office net, vtun just tries
to connect every 5 minutes, then gets whacked by init. No problem since
correct IP numbers, etc are assigned via DHCP.

But on the road, Mr. Laptop connects to the hotel lan. Vtun reaches
through the web, connects to the home office, sets up appropriate routing,
and wham - your mythical laptop user now has an 'ethernet' connection to
the home office. Anything can be shoved down that connection.

It's been working for me for a few years; sort of like a stone axe,
simple, reliable, and never fails.

On 2005-02-05, Captain Dondo <(E-Mail Removed)> wrote:
> On Fri, 04 Feb 2005 17:36:49 +0000, Luke wrote:
>
>
>>
>> Frankly, if I can figure out a way to automate everything, this does seem
>> like a better solution - i just don't know enough myself to automate
>> mounting home directories via NFS over VPN. Thoughts?
>
> Well, at least with vtun, it's automagic. I start vtun from inittab; if
> and when it connects it automatically sets up the correct routes.
>
> So, for your mythical laptop user, when on the office net, vtun just tries
> to connect every 5 minutes, then gets whacked by init. No problem since
> correct IP numbers, etc are assigned via DHCP.
>
> But on the road, Mr. Laptop connects to the hotel lan. Vtun reaches
> through the web, connects to the home office, sets up appropriate routing,
> and wham - your mythical laptop user now has an 'ethernet' connection to
> the home office. Anything can be shoved down that connection.
>
> It's been working for me for a few years; sort of like a stone axe,
> simple, reliable, and never fails.

I'd really rather stick with something like either IPSEC or OpenVPN.

Ideally, if I can make something like this work, i'd like to use it to
secure my wireless network as well.

Anyone know of a way to start an IPSEC tunnel automatically on a user's
login, and tunnel all traffic to a certain host though it, i'd love to hear
it. So, to summarize, I'd like a user to login, and then establish,
preferably via kerberos, an IPSEC tunnel to home.com, and tunnel any traffic
with home.com as a destination over that tunnel.

On Sat, 05 Feb 2005 02:07:54 +0000, Luke wrote:

> I'd really rather stick with something like either IPSEC or OpenVPN.
>
> Ideally, if I can make something like this work, i'd like to use it to
> secure my wireless network as well.
>
> Anyone know of a way to start an IPSEC tunnel automatically on a user's
> login, and tunnel all traffic to a certain host though it, i'd love to hear
> it. So, to summarize, I'd like a user to login, and then establish,
> preferably via kerberos, an IPSEC tunnel to home.com, and tunnel any traffic
> with home.com as a destination over that tunnel.

I just read the OpenVPN install, and it really sounds like an updated
vtun. It even uses the TUN driver, which was developed concurrently with
(or perhaps for?) vtun...

I don't see why it wouldn't do what you want it to do....

Note that IPSEC and OpenVPN do not mix... They're not the same.