Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encrypt NFSv4 with TLS Encryption Using Stunnel (linuxjournal.com)

Posted by EditorDavid on from the cloaking-cleartext dept.

The systems and database administrator for a Fortune 500 company notes that while NFS is "decades old and predating Linux...the most obvious feature missing from NFSv4 is native, standalone encryption." emil (Slashdot reader #695) summarizes this article from Linux Journal: NFS is the most popular remote file system in the Linux, UNIX, and greater POSIX community. The NFS protocol pushes file traffic over cleartext connections in the default configuration, which is poison to sensitive information.

TLS can wrap this traffic, finally bringing wire security to files vulnerable to compromise in transit. Before using a cloud provider's toolset, review NFS usage and encrypt where necessary.
The article's author complains that Google Cloud "makes no mention of data security in its documented procedures," though "the performance penalty for tunneling NFS over stunnel is surprisingly small...."

"While the crusade against telnet may have been largely won, Linux and the greater UNIX community still have areas of willful blindness. NFS should have been secured long ago, and it is objectionable that a workaround with stunnel is even necessary."

41 of 83 comments (clear)

  1. Use the right options by El+Cubano · · Score: 4, Insightful

    sec=krb5p

    1. Re:Use the right options by Anonymous Coward · · Score: 1

      They said standalone. Keberos isn't lightweight. There is quite a bit of administrative overhead that isn't woth the squeeze for small groups.

    2. Re:Use the right options by cruff · · Score: 1

      It is true that the Kerberos infrastructure is a bit of a pain, but it does work well when you have it in place.

    3. Re:Use the right options by mdhoover · · Score: 1

      Administrative overhead? You aren't running Active Directory in your environment?

      True the tools used to onboard *NIX (except solaris) are pretty shit (I'm looking at you SSSD).

      For AD when generating your keytabs you need to salt the keys with the internal UPN (ie: samaccountname@ad.domain, minus the dollarsign for computer accounts) for every principal assigned to the account, but once you know that is is trivial to script the onboarding.

      Then you just need to ensure your service accounts that use NFS init and renew their keys.

      If I could find the maintainer of perl's KRB5 module (it needs some additional library wrap functions to handle salt/keytab generation) I'd push up all the code/tools you would ever need...

  2. Misses the point of NFS by guruevi · · Score: 5, Insightful

    NFS is unencrypted exactly because of the overhead it brings and the fact that within a small network the risk is relatively small to non-existent.

    NFS has a number of assumptions that WAN links don't provide (eg stability). Use a different protocol if you want security and stability over WAN.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:Misses the point of NFS by iggymanz · · Score: 2, Insightful

      actually, NFS has encryption option, and the article tries to justify this extraneous stunnel solution by stating "waaah, it's too hard to do the built in..." which is bullshit

      You can do NFS securely and without stunnel. end of story.

    2. Re: Misses the point of NFS by emil · · Score: 1

      You will see in the conclusion the FBI advisory to reboot Soho routers. Generally, end users cannot maintain firmware or patch broadband devices. Encrypting everything it can touch, and keeping internal devices patched, is hardly unreasonable.

    3. Re: Misses the point of NFS by emil · · Score: 1

      ...unless the story takes you to clients and servers of an external vendor/customer, to your cloud provider, or to internal sites in other divisions that will not participate in a realm.

  3. It's not really a work around by rsilvergun · · Score: 3, Insightful

    it's a Unix philosophy: lots of smaller tools working well together instead of one big tool that tries to do everything and just turns into a mess.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re:It's not really a work around by 93+Escort+Wagon · · Score: 1

      it's a Unix philosophy: lots of smaller tools working well together instead of one big tool that tries to do everything and just turns into a mess.

      Now, now, we’re only a few comments in and already someone’s complaining about systemd...

      --
      #DeleteChrome
  4. WOW! An non political tech article on /.!? by Anonymous Coward · · Score: 1

    I'm in shock!

    1. Re:WOW! An non political tech article on /.!? by Desler · · Score: 1

      Slashdot has had political articles for nearly 2 decades. From example, [url=https://slashdot.org/story/98/12/16/1930206/us-and-uk-unilaterally-attack-iraq]here[/url] is one from 1998 that was heavily political. Cry more, snowflake.

    2. Re:WOW! An non political tech article on /.!? by Desler · · Score: 1

      Slashdot has had political articles for nearly 2 decades. From example, here is one from 1998 that was heavily political. Cry more, snowflake.

    3. Re: WOW! An non political tech article on /.!? by Desler · · Score: 1

      Which was what? That whining about political articles is silly since they've been posted to Slashdot since the very beginning of the site existing? If so, then yes, I did prove the snowflake's "point."

    4. Re:WOW! An non political tech article on /.!? by Desler · · Score: 1

      Awww, do I need to call the waaahmbulance for you?

  5. Use GSSAPI by sydsavage · · Score: 2

    NFSv4 _does_ have native encryption, but it requires the use of GSSAPI (kerberos).

    1. Re:Use GSSAPI by Desler · · Score: 3, Informative

      Yes and the article addresses that:

      The sec=krb5p option will encrypt NFSv4 traffic in a Kerberos realm, but requiring this infrastructure is inappropriate in hosted environments and is generally far from helpful. Basic access to symmetric cryptography does not and should not mandate such enormous baggage.

    2. Re:Use GSSAPI by iggymanz · · Score: 1, Informative

      "addressing" the issue by saying "wahhh it's way too hard", man up you pansies, kerberos isn't that hard

    3. Re:Use GSSAPI by ArchieBunker · · Score: 1

      NFS was never meant to be used across WAN links.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    4. Re:Use GSSAPI by iggymanz · · Score: 1

      WAN links and networking have evolved much over the lifespan of NFS. It can be done over WAN now with no problem.

    5. Re:Use GSSAPI by iggymanz · · Score: 1

      People that have never done such things shouldn't comment using something they read as only reference. We do NFS over vpn on public internet across the country without issue. With today's gigabit plus links and high performance encryption hardware in firewalls there is no problem

  6. Re:What's really objectionable––&ndash by Desler · · Score: 1

    From the article:

    The sec=krb5p option will encrypt NFSv4 traffic in a Kerberos realm, but requiring this infrastructure is inappropriate in hosted environments and is generally far from helpful. Basic access to symmetric cryptography does not and should not mandate such enormous baggage.

    What you quoted was commentary added by the submitter and was not from the article.

  7. Re: Why bother, work on sshfs by Anonymous Coward · · Score: 1

    Newer =/= better. Sshfs is painfully slow compared to NFS.

  8. Re: telnet has encryption by Anonymous Coward · · Score: 1

    Man take a chill pill. He was just discussing that telnet has the ability to do encryption that's it. The article was poking fun at telnet. Besides telnet has some great terminal support still.

  9. Re:So the problem is already solved? by hjf · · Score: 1

    Written by a millennial that doesn't know about IPSec

  10. IPsec by pD-brane · · Score: 3, Insightful

    You could also do NFS over IPsec.

    NFSv3 could be fine as well.

    Often no need for complicated designs like NFSv4 and Kerberos.

    1. Re: IPsec by emil · · Score: 1

      Wireguard has biting criticism of ipsec and openvpn. If you can stand the UDP and you're on a supported platform, it's likely far preferable. See the addendum.

  11. sshfs rocks! But... by Kludge · · Score: 1

    I love sshfs. It is incredibly easy and convenient and works in places where nfs would be really hard to implement. It allows me to mount any file system on the ssh server, including file systems that are NFS network mounted themselves.
    However, I have found that sshfs is not very fast or stable. The sshfs mounted file systems will sometimes hang, even when my ssh terminal sessions remain up.
    Maybe I should contribute to development.

  12. We find a lot of weak encryption in weird places by raymorris · · Score: 1

    > It also makes maintainence easier. Each application protocol having its own encryption leads to a lot of wheel reinventing and unnecessary man hours maintaining software.

    I do vulnerability scanning and weak encryption issues are very common. Weak protocols, weak certs, etc. Often these are on devices or services that people don't think about very often. Using an ipsec or similar VPN tunnel between sites means EVERYTHING going over the wire is encrypted properly, by maintaining just one configuration. You may also want some things encrypted on the local network.

  13. Stunnel? by aglider · · Score: 1

    Why noto plain SSH TCP forwarding?

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
    1. Re: Stunnel? by emil · · Score: 1

      Easy answer... Stunnel runs out of inetd, and it supports client=yes in that configuration. A wrapper will also coerce it to observe restricted ports. This is much friendlier than ssh.

  14. Re:What's really objectionable––&ndash by ArchieBunker · · Score: 1

    Linux has documentation? I've found most of it horribly outdated.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  15. Re: telnet has encryption by ArchieBunker · · Score: 1

    For a while when sshd was having numerous buffer overflows telnet made more sense :)

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  16. Link speed and VPNs by duke_cheetah2003 · · Score: 1

    This is a bit on the goofy side for /. Who didn't know NFS is insecure? Neither is CIFS/Samba, they're both insecure and from my perspective these are the two most used network file system protocols used in Linux.

    And since NFS is been insecure since...forever. I've never used this thing not-over-a-VPN or only on LANs. Traditionally, NFS was not really used across WANs due to poor linkspeed across such WANs, and I seem to recall NFS being horribly bad on slow links. So no one really cared about securing it because no one really ran NFS over the public internet. I certainly never did. I still don't. My network file system protocol of choice is CIFS/Samba over VPN, because it's just what I've always used. Windows didn't always support NFS, though I believe it does now.

    Of course this mentality came from an age before WiFi and broadband internet. I'd have to guess most of use don't fool with goofy stunnel setups when a VPN does the trick nicely, and provides security to a lot more than just NFS. Personally, I consider stunnel to be what people used when they can't figure out how to create point-to-point VPN between two locations. Sticking only one protocol into an encrypted stream kinda gives a leg up to a would be interested third-party.
      Better to have lots of different stuff passing through encrypted pipes. I've been there, I've used it, but I don't anymore.

  17. It is unreliable - it is locking up by short · · Score: 1
    nfs over openvpn locks up = CLOSED WILL_NOT_FIX

    "there is no reasonable solution for this kind of bug. There will always be a danger of deadlocks when using openvpn."

    openvpn should behave the same as stunnel - a userspace program handling the data

  18. Still super-useful at home! by Arashi256 · · Score: 1

    I use NFS all over the place on my home network, purely because it's my home network and my good old residential router doesn't forward any ports from outside for NFS or open them on the firewall. My NFS server exports all my media so that my media clients around the house can mount the movies directory or whatever as if it were local. I also use it to mount my MAME ROMS directory for my RetroPie setup in the living room. Very handy. Since the NFS server won't talk to anything other than 192.168.1.* via it's own firewall it works very well. I'm not familiar with the history of NFS but did NFS used to be used from remote sites over the Internet or something? I suppose I can see a use for encrypted NFS over business networks if the LAN is huge and paranoid but wouldn't Samba or something be better in that situation? Honest questions.

  19. Re: What's really objectionable––& by emil · · Score: 1

    *I* am the author of the Linux Journal article, and your insistence on the Kerberos baggage means that ad-hoc connections that are not part of a realm must go unencrypted. This is bad enough when I'm at work trying to mount a server behind my cable modem, but it becomes truly objectionable when cloud providers push the same unencrypted protocols. And before you tell me that ipsec or openvpn will solve all of my problems, read the wireguard commentary.

  20. Re: Not using Kerberos and ldap by emil · · Score: 1

    Yes, because it is so very easy to get cloud servers, external vendor clients and servers, and internal sites in different domains into the same realm. You must do this every day.

  21. Re: SMBv3 by emil · · Score: 1

    ...and when it runs on Windows 7, it will be an option.

  22. Re: If you're that worried about your LAN... by emil · · Score: 1

    Please see the Wireguard addendum.

  23. Re: the price of free by emil · · Score: 1

    You don't send your private key to a CA for their signature. You send a public key embedded in your cert, which they encrypt with their private key. Their signature attests for you, but they can't decrypt without your key, which you (hopefully) never sent.