LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 01-22-2010, 06:07 PM   #1
Jophish
LQ Newbie
 
Registered: Jun 2008
Posts: 6

Rep: Reputation: 5
Limiting sshfs access to a specific directory, or tunneling nfs over ssh.


Howdy all.

I have a server with a /data/ directory, everything in the /data/ folder has "-rwxrw-rw- 1 root root" permissions. The /data/ directory is listed in /etc/exports:
Code:
$ cat /etc/exports
/data 192.168.0.0/255.255.255.0(rw,sync)
This all works fine, multiple users are mounting this over a lan and everyone is able to modify files. However I would like to be able to access the /data/music/ directory from the internet. My first thought was to change /etc/exports to the following:

Code:
/data 192.168.0.2/255.255.255.0(rw,sync)
/data/music 192.168.0.1(ro,sync)
However nfs isn't really secure enough for this, ssh seems to way to go.
The problem is that sshfs will give unrestricted access to the whole server. There are two options here.
Is it possible to configure sshfs to only accept logins from a user restricted to reading the /data/music directory, or would it be possible to tunnel nfs over ssh in such a way that everyone on the lan 192.168.0.xxx has unrestricted access to the data directory, but something coming from outside only has read access to the music directory. Although is one were tunneling nfs over ssh, the nfs mount request would appear to come from the server itself. The router is at 192.168.0.1 and the server is at 192.168.0.3.

This Seems very much like what I want to do, however I'm having a bit of trouble getting this to work well with other users mounting with full rights over the lan too.

Thanks very much.
 
Old 01-22-2010, 07:00 PM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
I don't remember the details but there is an option in sshd_config for per user config options. The manpage has an example.

You might try creating a user account just for using sftp. Use rssh for this user's default shell and /data/music for its HOME directory entry in /etc/passwd. Rssh allows restricting shell access and rooting the user to the current directory. Alternatively you could use vsftp over an ssh tunnel.

http://www.cyberciti.biz/tips/rhel-c...ssh-shell.html
This page goes through instructions to jailroot users.
http://www.cyberciti.biz/tips/howto-...ail-setup.html

Your export entry isn't correct. Using the router's IP address won't allow remote access unless you can ssh into the router and from there sftp to the server.

If you were to go the nfs over ssh tunnel approach, google for "nfsv4 over ssh". NFSv4 can use a single tcp port making it suitable for an ssh tunnel. It also has a number of security models more suitable for remote access.

Last edited by jschiwal; 01-22-2010 at 07:14 PM.
 
Old 01-22-2010, 07:12 PM   #3
Jophish
LQ Newbie
 
Registered: Jun 2008
Posts: 6

Original Poster
Rep: Reputation: 5
Thanks for the prompt reply.

I'm sure that that would work, however nfs seems to have all the features I need built in, "/data/music" limits the directory, and "(ro)" limits the mount to just reading files.
the trouble is getting nfs to tunnel over ssh, and allowing raw nfs mounting from within the lan. While keeping the whole system secure from the www.

Thanks.
 
Old 01-22-2010, 07:20 PM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
I added a line to my original message.

You can allow nfs access for the LAN as you do now, and sftp access from the internet.
Using NFS4 would be more suitable for an ssh tunnel because it can use a single TCP port. It also has additional security models. The default UID based method of restricting file access is suitable for a trusted LAN but not for remote access.
 
Old 01-23-2010, 08:03 AM   #5
Jophish
LQ Newbie
 
Registered: Jun 2008
Posts: 6

Original Poster
Rep: Reputation: 5
It seems like nfsv4 over ssh is the way to go then.

I should be able to do something like this.
/etc/exports should look like this:
Code:
/data 192.168.0.0/255.255.255.0(rw,sync)
/data/music 127.0.0.1(ro,sync)
It is my understanding that when mounting an nfs share over ssh. The server gets the request from itself, although would it come from 127.0.0.1 or 192.168.0.3? In the case of the latter obviously the /etc/exports example above would allow someone to mount with rw permissions /data.

Assuming that that is working, in /etc/ssh/sshd_config it only has one option for Listenaddress, and I can't seem to figure out how to manipulate AllowUser to do what I want. That is to allow anyone to access from inside the lan, but only one user to access it from outside the lan, so I couldn't ssh in as a privileged user from the internet.

Thanks

Edit:

I believe that this in /etc/ssh/sshd_config should do the trick
Code:
AllowUsers *@192.168.0.* sleeper
This should allow sleeper (the user used to create the ssh tunnel) access from anywhere, but allow anyone to ssh in from the lan.

Last edited by Jophish; 01-23-2010 at 06:34 PM.
 
Old 01-24-2010, 05:59 AM   #6
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Code:
/data 192.168.0.0/255.255.255.0(fsid=0,rw,sync)
/data/music 127.0.0.1(ro,sync)
This page may have better information on what you want for exports, and fstab: http://www.vanemery.com/Linux/NFSv4/...ec.html#sshtun
It doesn't use rpcsec.
 
  


Reply

Tags
nfs, ssh, sshfs, tunneling


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH Access Limiting By IP Address During Certain Times jordo2323 Linux - Security 7 11-20-2008 03:01 PM
Limiting Access to NFS mounts kaplan71 Linux - Networking 6 03-29-2008 07:11 AM
LXer: Securing NFS - Tunneling NFS over SSH LXer Syndicated Linux News 0 09-27-2006 03:03 PM
Encrypted NFS with ssh tunneling almost there danrh9 Linux - Networking 2 02-22-2004 04:52 PM
Limiting SSH access stevealarsen Linux - General 2 09-28-2002 09:18 PM


All times are GMT -5. The time now is 12:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration