LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-18-2011, 11:50 AM   #1
startoftext
LQ Newbie
 
Registered: Dec 2008
Posts: 12

Rep: Reputation: 0
Question What protocol choice is safe for home directories? NFS, CIFS, SSHFS


I am setting up multiple linux machines (CentOS 6). I have ldap authentication against an AD server working via krb5_pam and the other information such as home directory path pulled in from AD also. So when you log in with ldap credentials it looks for your home at /home/<companyname>/username. I plan to auto mount the home directories from a single linux machine via something like NFS or CIFS or sshfs...

I keep reading that my best choice is NFS but it seems that all of the info I find on configuring NFS leaves off password protection!!! In nfs the assumption seems to be that any one can mount the share but the files will be protected by uid number. Hmm that seams not safe to me because I can just mount it on a linux machine I control and change the uid of a user to whatever I want. Is there some other way that nfs prevents the case I describe? Wasn't password protection added in nsfv4? Are the nfsv4 passwords sent in plain text. How can I configure this? Should I just look at sshfs?
 
Old 08-18-2011, 01:45 PM   #2
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 326Reputation: 326Reputation: 326Reputation: 326
NFS uses IP address and UID, so you need to use static or pseudo-static addressing for the clients as well as the server. On high bandwidth connections (e.g., gigabit), NFS provides 3 to 4 times the sustained throughput of sshfs as well as much lower CPU utilization, from my testing.

Last edited by macemoneta; 08-18-2011 at 01:48 PM.
 
Old 08-18-2011, 04:36 PM   #3
startoftext
LQ Newbie
 
Registered: Dec 2008
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by macemoneta View Post
NFS uses IP address and UID, so you need to use static or pseudo-static addressing for the clients as well as the server. On high bandwidth connections (e.g., gigabit), NFS provides 3 to 4 times the sustained throughput of sshfs as well as much lower CPU utilization, from my testing.
Thanks for your reply. Its very easy to spoof an IP and I already mentioned a way to get around uids. So how is this at all safe?
 
Old 08-18-2011, 05:34 PM   #4
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 326Reputation: 326Reputation: 326Reputation: 326
If you change your IP while the client is still on, you don't get access, you both lose access (packets are routed randomly to last arp, and both machines are arping). You can get access if you change IP address while the client is offline, but you'll need to cycle through UIDs to find a match, and you'll need to know the name of the exported directory to mount it. Yes, it's security by obscurity, but its like dialing random phone numbers to try to reach someone. For an intranet application behind a firewall, this is usually adequate.

You can also use Kerberos authentication and encryption with NFS if you like, and feel the need.
 
  


Reply

Tags
nfsv4, shareddirectory, sshfs


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
KDE4.6 with cifs home directories, lnusertemp error kjl Linux - Desktop 0 05-05-2011 01:51 PM
Fully asynchronous NFS-like protocol to mount home dirs caveden Linux - Networking 3 10-04-2009 04:59 PM
Mounting NFS home directories RexCoeus Linux - Networking 1 10-21-2008 02:22 PM
NFS Home directories for laptops IndustrialGeek Linux - Newbie 1 05-20-2004 09:27 AM
NIS/NFS and sharing home directories grebo Linux - Networking 1 09-21-2001 11:21 PM


All times are GMT -5. The time now is 04:47 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration