Securing NFS

Support for security such as Firewalls and securing linux
Post Reply
dcrdev
Posts: 70
Joined: 2015/10/25 23:42:17

Securing NFS

Post by dcrdev » 2017/12/01 11:51:03

Apologies if this has been posted a thousand times already and whilst I have seen plenty of articles describing this topic, not one of them has answered all my questions.

Anyway my file server has always used samba due to it's interoperability with Windows clients, but it dawned on me very recently that I no longer have any Windows clients, I'm only using Linux. So rather than keep wasting time transferring files over smb and separately managing permissions via ssh, I decided to investigate nfs - it's something I have never used before.

First impressions are that I find it somewhat confusing from a security perspective. Assuming my understanding is correct, security boils down to this:
  • NFS doesn't support password based authentication
  • Instead NFS relies on UIDs/GIDs
  • This can be further restricted, by locking down the IPs that can connect
So correct me if I'm wrong but:
  • One could just create a user with a matching UID and then they would appear as authenticated.
  • Equally the server could be transplanted onto an unknown network, in which an unknown client could assign an IP that is considered whitelisted. Yes you could argue that if someone has physical access to the machine, it's game over anyway - but in my case I make use of both hardware/software full drive encryption,
So am I missing something here, or are there more measures one could take to lock things down? I've come across several articles suggesting that you can set up Kerberos if you need authentication, but that seems a little excessive to set up a domain controller for 3-4 users.

Thanks

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: Securing NFS

Post by lightman47 » 2017/12/01 12:42:12

Well, sharing didn't work for me if that same User & password didn't already exist on my server as well. I could be wrong, but it's my understanding that authentication occurs at connect time, and then the UID/GIDs are used for permission enforcement and file access.

-looking forward to further responses. Nice question.

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Securing NFS

Post by hunter86_bg » 2017/12/03 17:26:54

NFS supports kerberos, which guarantees that the NFS client is really authorised.

dcrdev
Posts: 70
Joined: 2015/10/25 23:42:17

Re: Securing NFS

Post by dcrdev » 2017/12/05 18:15:22

hunter86_bg wrote:NFS supports kerberos, which guarantees that the NFS client is really authorised.
Right - yes I had already mentioned kerberos in my original post...

As already stated keberos seems overly complicated for my use case, but admittedly I'm not that clued up on it. Really i'd just like authentication for nfs, if I were to implement kerberos - would all users have to authenticate against the kerberos server to sign on?

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Securing NFS

Post by hunter86_bg » 2017/12/05 18:27:25

All users need a kerberos ticket /granted on successful login/ to get access to restricted nfs shares.
From security point of view, samba has more elaborate controls which allows fine tuning, while NFS supports other features like better performance /parallel nfs from 4.1/ .
From my experience nfs with kerberos deployment is way easier that people think.

Post Reply