What protocol choice is safe for home directories? NFS, CIFS, SSHFS
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What protocol choice is safe for home directories? NFS, CIFS, SSHFS
I am setting up multiple linux machines (CentOS 6). I have ldap authentication against an AD server working via krb5_pam and the other information such as home directory path pulled in from AD also. So when you log in with ldap credentials it looks for your home at /home/<companyname>/username. I plan to auto mount the home directories from a single linux machine via something like NFS or CIFS or sshfs...
I keep reading that my best choice is NFS but it seems that all of the info I find on configuring NFS leaves off password protection!!! In nfs the assumption seems to be that any one can mount the share but the files will be protected by uid number. Hmm that seams not safe to me because I can just mount it on a linux machine I control and change the uid of a user to whatever I want. Is there some other way that nfs prevents the case I describe? Wasn't password protection added in nsfv4? Are the nfsv4 passwords sent in plain text. How can I configure this? Should I just look at sshfs?
NFS uses IP address and UID, so you need to use static or pseudo-static addressing for the clients as well as the server. On high bandwidth connections (e.g., gigabit), NFS provides 3 to 4 times the sustained throughput of sshfs as well as much lower CPU utilization, from my testing.
Last edited by macemoneta; 08-18-2011 at 01:48 PM.
NFS uses IP address and UID, so you need to use static or pseudo-static addressing for the clients as well as the server. On high bandwidth connections (e.g., gigabit), NFS provides 3 to 4 times the sustained throughput of sshfs as well as much lower CPU utilization, from my testing.
Thanks for your reply. Its very easy to spoof an IP and I already mentioned a way to get around uids. So how is this at all safe?
If you change your IP while the client is still on, you don't get access, you both lose access (packets are routed randomly to last arp, and both machines are arping). You can get access if you change IP address while the client is offline, but you'll need to cycle through UIDs to find a match, and you'll need to know the name of the exported directory to mount it. Yes, it's security by obscurity, but its like dialing random phone numbers to try to reach someone. For an intranet application behind a firewall, this is usually adequate.
You can also use Kerberos authentication and encryption with NFS if you like, and feel the need.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.