LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 01-19-2008, 03:58 PM   #1
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,561

Rep: Reputation: 57
How to mount a nfs, through SSH connection ?


How to mount a nfs, through a SSH connection settings ?
Is there a way to establish a ssh in that /etc/fstab easily way for newbie ?
There is a nfs server (like most of you have), I would like to ssh it and mount the /home.

Thank you for the information, in case it is possible

Last edited by frenchn00b; 01-19-2008 at 03:59 PM.
 
Old 01-19-2008, 04:04 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
you've not described the topology at all, but i'd suggest you'd be better of use sshfs within fuse than use ssh to tunnal nfs.

as for actaully doing what you asked, 10 seconds on google provides many hits, like http://www.howtoforge.com/nfs_ssh_tunneling
 
Old 01-19-2008, 04:11 PM   #3
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,561

Original Poster
Rep: Reputation: 57
Quote:
Originally Posted by acid_kewpie View Post
you've not described the topology at all, but i'd suggest you'd be better of use sshfs within fuse than use ssh to tunnal nfs.

as for actaully doing what you asked, 10 seconds on google provides many hits, like http://www.howtoforge.com/nfs_ssh_tunneling
Wow, it is a great how to you found me !!
Thousand thanks


is it important taht it has fixed ports ?
Quote:

First configure it to run on fixed ports, this will make building a firewall much easier but equally important it aids in simpler client mounts.

echo "STATDOPTS=--port 2231" > /etc/default/nfs-common
echo "options lockd nlm_udpport=2232 nlm_tcpport=2232" >> /etc/modules.conf
echo "RPCNFSDCOUNT=8 RPCMOUNTDOPTS='-p 2233'" > /etc/default/nfs-kernel-server
the port is then those ones ?
Quote:
nosuid,port=61001,mountport=62001,

Last edited by frenchn00b; 01-19-2008 at 04:15 PM.
 
Old 01-19-2008, 04:15 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
well it wasn't exactly hard to find...
http://www.google.com/search?q=ssh+nfs+tunnel

and yes it will matter, NFS in itself is a portmapped service, meaning you'll never actually know what port your data is going to flow over, meaning you can't configure a tunnel for it in advanced
 
Old 01-19-2008, 04:17 PM   #5
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,561

Original Poster
Rep: Reputation: 57
Quote:
Originally Posted by acid_kewpie View Post
well it wasn't exactly hard to find...
http://www.google.com/search?q=ssh+nfs+tunnel

and yes it will matter, NFS in itself is a portmapped service, meaning you'll never actually know what port your data is going to flow over, meaning you can't configure a tunnel for it in advanced
Is the method secured by the way ?
 
Old 01-19-2008, 04:47 PM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
of course it is, that's what the first S in SSH stands for.
 
Old 05-22-2009, 03:49 PM   #7
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,561

Original Poster
Rep: Reputation: 57
now I know, took some time rather, no?

one need fuse, then type easily, with the right parameters, and the ssh is mounted, e.g.:

Code:
mkdir $3
sshfs user@server:/path/to/folder $3
 
Old 05-23-2009, 04:39 PM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
yeah, fuse is nice for simple things, but in enterprise i'd really not feel comfortable with that sort of thing. Maybe i'm wrong.
 
Old 06-29-2009, 11:55 PM   #9
ChipB
LQ Newbie
 
Registered: Oct 2007
Posts: 10

Rep: Reputation: 0
Hey folks,

sshfs
I first set up sshfs. Unfortunately, it left the HOST FS corrupted (I think I needed
fsck or possibly just a reboot.) I forgot the details. I did not loose data but, I was so horrified,
I figured I would not touch it again and did not
try to troubleshoot.

tunneling NFS
I did get NFS tunneling to work. I read some guides and had to do some hacking. I think part
of the problem was a mismatch of guides & software versions.

I use gentoo. This was involved & I think most any difference in SW version or dist will
manifest itself as some permutation on the steps :-)

The ssh does use some cpu overhead, but it is not horrid.
Off hand, 25% of a core in a non-ancient core 2 system (Q6600)
seems reasonable from my observations.

Good luck,
Chip


Below is a NFS/SSH HOWTO I wrote Nov 2008 for my internal use w/a gentoo system:
----------------------------------------------------------------
----------------------------------------------------------------
I prolly did not need the no_root_squash, but I'm trying to make sure this works
It is safer to remove the no_root_squash if possible.

I set up ssh so I could ssh from root on one machine to root on another without a password or phrase.
I assume the port forwarded needs to be done as root.

This was tested Oct 2008.



NFS thinks it is only mounting the local host.
SSH maps the local host ports between machines.



==============================================================



HOST 192.168.1.10:

1) /etc/exports
BACKGROUND
Export to the local host, NOT the remote. Yes, "insecure" is required. "localhost" in place of the local IP did not seem to work.

EDIT /etc/exports
/home/to_export 192.168.1.10(rw,no_root_squash,no_subtree_check,insecure)
/mnt/md10/md10_home/tcvm 192.168.1.10(rw,no_root_squash,no_subtree_check,insecure)


2) /etc/conf.d/nfs

BACKGROUND
We need to have ports of mountd easily accessible,
Without this, mountd would use 2 ports. Not only did I need to run
pmap_dump to see the numbers, but I needed to use trial and error to find which of the 2.
Bind moutnd via /etc/conf.d/nfs
I also bound statd just to reduce dynamic port numbers

EDIT: /etc/conf.d/nfs
OPTS_RPC_MOUNTD="-p 32767"
OPTS_RPC_STATD="-p 32765 -o 32766"


3) sysctl.conf
BACKGROUND
This is not essential to ssh or nfs, but I find it desireable to also bind the nlockmgr ports.
As far as I know, this will remove the last dynamic ports from the system.
EDIT: (bottom of) /etc/sysctl.conf
# TCP Port for lock manager
fs.nfs.nlm_tcpport = 32771
# UDP Port for lock manager
fs.nfs.nlm_udpport = 34090



--------------------------------------------------------------



CLIENT (arbitrary IP#)"

1) ssh
BACKGROUND
ssh
-c blowfish cipher seems fast & secure
-f go into background
-L 4444:192.168.1.10:2049 forward client's 4444 to server 2049
2049 is static socket of nfs
-L 5555:192.168.1.10:32767 32767 is above binding of moundd
-l root 192.168.1.10 login as root on the server
/bin/sleep 600d sleep for 600d (stay alive during forwarding).
I think the forwarding itself may keep the ssh alive,
but I don't want to count on that. We can always kill.
4444 & 5555 are abitrary as long as they are mirrored on the mount lines

COMMANDS
ssh -c blowfish-cbc -f -L 4444:192.168.1.10:2049 -l root 192.168.1.10 /bin/sleep 600d
ssh -c blowfish-cbc -f -L 5555:192.168.1.10:32767 -l root 192.168.1.10 /bin/sleep 600d

2) mount
BACKGROUND
mount
-t nfs ssh operates over nfs I don't know if the ssh -L bind works for udp. Experimentally, "-t nfs" was required.
port= & mountport= must match our client port #
localhost: NFS thinks it is purely local.
COMMANDS
mount -t nfs -o tcp,port=4444,mountport=5555 localhost:/home/to_export /home/to_export__mnt
mount -t nfs -o tcp,port=4444,mountport=5555 localhost:/mnt/md10/md10_home/tcvm /home/tcvm


=====================================================================
FIREWALL

I think we need only open the ssh ports for this to work.


=====================================================================
/etc/hosts.deny & /etc/hosts.allow

Allows specification of services & clients. Obviously susceptible
to IP# spoofing, but still useful

SAMPLE
/etc/hosts.deny
portmap: ALL

/etc/hosts.allow
portmap: 192.168.1.10

The allow overrides the overall blacklist via all
This works with function hosts_ctl(), which I've a program that uses.

=====================================================================

Last step on alan (client) when the mount command in the script did not work was
to run

/etc/init.d/nfs restart


even though nfs normally does not appear to need to be running.
I had set the nfs settngs in /etc/sysctl.conf back to the original.
I guess the mods are only for the server.
Maybe it started the portmap which had not been running.
Now it is started at boot.


=====================================================================

REFERENCES:
There are a few good web pages, but no single one that is completely definitive.
http://www.linuxsecurity.com/content/view/117705/171/
http://nfs.sourceforge/nfs-howto/ar01s06.html
http://tldp.org/HOWTO/NFS-HOWTO/security.html

NFS4 & Kerberos
https://help.ubuntu.com/community/NFSv4Howto
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to mount a nfs mount from linux client to AIX nfs server dennyqian AIX 13 04-12-2016 12:30 AM
NFS mount over SSH: Unable to receive; errno = Connection refused karlmdv Linux - Server 4 07-04-2007 07:08 AM
nfs over ssh : mount failed oudoubah Linux - Networking 1 01-08-2007 03:17 AM
LXer: Securing NFS - Tunneling NFS over SSH LXer Syndicated Linux News 0 09-27-2006 03:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 11:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration