How unsecure is NFS?

I am attempting to connect my office PC to my home computer, both Linux,
Mandriva 2007.
For years, the warning has been not to use NFS for this kind of thing.
You can make NFS somewhat secure by allowing only certain IP's to share, but
it has been said that the IP can be spoofed and/or the the packets sniffed
due to no encryption. Are these still valid arguments with today's version
of NFS.
I have seen some documentation of setting up VPN's between linux boxes, but
seems rather akward and complicated. Maybe there is some tool somewhere
that can do this.
There must be a way to file share two linux boxes with reasonable security
the same way Windows users seem to trust VPN's for just about anything.
Ideas welcome!
Thanks,
Hannu_H

Hannu_H wrote:
> I am attempting to connect my office PC to my home computer, both Linux,
> Mandriva 2007.
> For years, the warning has been not to use NFS for this kind of thing.
> You can make NFS somewhat secure by allowing only certain IP's to share, but
> it has been said that the IP can be spoofed and/or the the packets sniffed
> due to no encryption. Are these still valid arguments with today's version
> of NFS.
> I have seen some documentation of setting up VPN's between linux boxes, but
> seems rather akward and complicated. Maybe there is some tool somewhere
> that can do this.
> There must be a way to file share two linux boxes with reasonable security
> the same way Windows users seem to trust VPN's for just about anything.
> Ideas welcome!
> Thanks,
> Hannu_H
>
>

Ummm... VPN? Try vtun and/or openvpn. vtun is older, simpler, but
openvpn seems to have more acceptance.

That's what VPN is for! It's a secure tunnel over which you can run
unsecure apps.

Although NFS might be a bit slow....

--Yan

On Thu, 18 Jan 2007 19:23:44 -0500, Hannu_H wrote:
> I am attempting to connect my office PC to my home computer, both Linux,
> Mandriva 2007.
> For years, the warning has been not to use NFS for this kind of thing.
> You can make NFS somewhat secure by allowing only certain IP's to share, but
> it has been said that the IP can be spoofed and/or the the packets sniffed
> due to no encryption. Are these still valid arguments with today's version
> of NFS.
> I have seen some documentation of setting up VPN's between linux boxes, but
> seems rather akward and complicated. Maybe there is some tool somewhere
> that can do this.
> There must be a way to file share two linux boxes with reasonable security
> the same way Windows users seem to trust VPN's for just about anything.

Uhh, yeah... a VPN!

You don't have to do it in the OS. You can have routers at home and in
the office that will let you have a point-to-point VPN.

If you just refuse to use a VPN, one way you could go would be to get
rid of the default route on the NFS server, and add specific static
routes for the host(s) or network(s) you want to connect. Sure, someone
could spoof an IP, but they couldn't get traffic back, and they'd have
to really really want to mess with you and figure out your remote IPs.
Likely to be a lot more trouble than anyone is willing to spend :-)

--
* John Oliver http://www.john-oliver.net/ *

On Thu, 18 Jan 2007 19:23:44 -0500, Hannu_H wrote:

> There must be a way to file share two linux boxes with reasonable security
> the same way Windows users seem to trust VPN's for just about anything.

A couple of people have recommended using a VPN, and I agree.

However, if you've some reason to avoid this excellent solution, you could
try an idea with which I've been meaning to experiment for a while.
Consider:
* All NFS-related services can be handled via TCP
* All NFS-related services' ports can be specified, either via
parameters in /etc/sysconfig/nfs or options in /etc/modprobe.conf

Why not try NFS via SSH's port forwarding?

I cannot see why this wouldn't work. And, just for fun, I've wanted to
give it a try. But fair warning: I never have. There may be a perfectly
obvious reason why this wouldn't work that I've been missing.

I've no real need for this. But I've been calling SSH "the poor man's
VPN" for so long, I'm wondering if even NFS now can be made to work.

- Andrew

In comp.os.linux.networking Hannu_H <(E-Mail Removed)>:
> I am attempting to connect my office PC to my home computer, both Linux,
> Mandriva 2007.
> For years, the warning has been not to use NFS for this kind of thing.
> You can make NFS somewhat secure by allowing only certain IP's to share, but
> it has been said that the IP can be spoofed and/or the the packets sniffed
> due to no encryption. Are these still valid arguments with today's version
> of NFS.

If you can't use VPN, try a google search for 'sshfs'. Iirc once
had it working. Another even easier option might be to just setup
'unison' between the two systems and sync stuff on a regular
base, if this would be enough for you? You could even use 'rsync'
through ssh, which is quite often already installed 'man rsync'
though unison has some advantages.

Good luck

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 45: virus attack, luser responsible

Michael Heiming <michael+(E-Mail Removed)> writes:

> In comp.os.linux.networking Hannu_H <(E-Mail Removed)>:
> > I am attempting to connect my office PC to my home computer, both Linux,
> > Mandriva 2007.
> > For years, the warning has been not to use NFS for this kind of thing.
> > You can make NFS somewhat secure by allowing only certain IP's to share, but
> > it has been said that the IP can be spoofed and/or the the packets sniffed
> > due to no encryption. Are these still valid arguments with today's version
> > of NFS.
>
> If you can't use VPN, try a google search for 'sshfs'. Iirc once
> had it working. Another even easier option might be to just setup
> 'unison' between the two systems and sync stuff on a regular
> base, if this would be enough for you? You could even use 'rsync'
> through ssh, which is quite often already installed 'man rsync'
> though unison has some advantages.

At present, I rsync back and forth between some systems...

When I tried sshfs, I had some trouble with connections eventually
hanging.

Where can I find out morea about unision?
--
Joseph J. Pfeiffer, Jr., Ph.D. Phone -- (505) 646-1605
Department of Computer Science FAX -- (505) 646-1002
New Mexico State University http://www.cs.nmsu.edu/~pfeiffer

On 19 Jan 2007 12:17:39 -0700, Joe Pfeiffer wrote:
> Where can I find out morea about unision?

http://www.cis.upenn.edu/~bcpierce/unison/

Beware... it's one of those things that, if it doesn't work, your only
recourse is the "community". If anyone has to work too hard to figure
it out, you're going to be SOL.

--
* John Oliver http://www.john-oliver.net/ *

Andrew Gideon wrote:

> On Thu, 18 Jan 2007 19:23:44 -0500, Hannu_H wrote:
>
>> There must be a way to file share two linux boxes with reasonable
>> security the same way Windows users seem to trust VPN's for just about
>> anything.
>
> A couple of people have recommended using a VPN, and I agree.
>
> However, if you've some reason to avoid this excellent solution, you could
> try an idea with which I've been meaning to experiment for a while.
> Consider:
> * All NFS-related services can be handled via TCP
> * All NFS-related services' ports can be specified, either via
> parameters in /etc/sysconfig/nfs or options in /etc/modprobe.conf
>
> Why not try NFS via SSH's port forwarding?
>
> I cannot see why this wouldn't work. And, just for fun, I've wanted to
> give it a try. But fair warning: I never have. There may be a perfectly
> obvious reason why this wouldn't work that I've been missing.
>
> I've no real need for this. But I've been calling SSH "the poor man's
> VPN" for so long, I'm wondering if even NFS now can be made to work.
>
> - Andrew

Andrew,
I am sure it can be done. I remember seeing something like this done. Before
there were any VPN programs for Linux, you could do it from scratch exactly
as you describe. SSH is an encrypted tunnel and you run NFS through it.
The way it was done looked rather complicated, though, and I don't know much
about SSH.
If you are serious trying it, search for SSH and VPN on Linux, I am sure you
can do it. If you manage to do it, post here what happened ...
Now, what would be the easier way to set up VPN on Linux? I don't see
anything in my Mandriva distro about it ....
Somebody suggested doing the VPN outside OS with routers, but that's not a
possibility here, these computers are not behind firewalls for a reason.
Thanks,
Hannu

In comp.os.linux.networking John Oliver <(E-Mail Removed)>:
> On 19 Jan 2007 12:17:39 -0700, Joe Pfeiffer wrote:
>> Where can I find out morea about unision?

> http://www.cis.upenn.edu/~bcpierce/unison/

> Beware... it's one of those things that, if it doesn't work, your only
> recourse is the "community". If anyone has to work too hard to figure
> it out, you're going to be SOL.

Works like a charm from my experience, syncing hundreds of GBs
with it on a regular base. It doesn't need that much CPU like
rsync tends to, is faster after initial sync and works in both
directions from a single connection. Another advantage might be
its GUI, if you are starting. Though you don't need it once you
figured out how it works from the shell.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 202: kernel panic: write-only-memory (/dev/wom0)
capacity exceeded.