We have a situation here where for various reasons we need to deal
with the possibility of host impersonation, where someone might take
over the IP address of a machine that's authorized to do NFS v3 mounts.
Our solution on our current Solaris fileservers is authenticating the
clients when and as they make NFS mounts through a callback process
based on intercepting netgroup membership checks with an NSS module.
We'd like to bring up some sort of host authentication on Linux so that
we can use Linux as an NFS server in our environment. Unfortunately a
straight port of our Solaris solution appears infeasible due to a glibc
issue[*], which leaves me looking around for ideas. The options that I
can think of now are:
- modify the mountd source to stuff in a callout to our authentication
system at mount time.
drawback: we'd have to maintain a custom hack to mountd (and figure
out where in the source to put it).
- use ipsec between clients and servers.
drawback: the ipsec overhead and speed reduction
- put together some firewall based system that only allows access to
the NFS and/or mountd ports after host verification.
drawback: I'd like to automatically trigger verification on mount
requests rather than require clients to trigger it in an out-of-band
way and I'm not sure if there's any easy way to do that.
(Perhaps the answer is the 'spawn' tcpwrappers option to trigger a
callout.)
Are there options that I'm not seeing here or that I haven't
considered? Are there good fixes to the drawbacks I've listed
that I'm not seeing?
Out of the options that people can see (possibly not just these ones),
what do people think would be the best way to do this?
(I suspect that there is no interest in adding some general system for
NFS mount authentication checks to mountd.)
Thanks in advance for any opinions et al that people feel like
offering.
PS: 'switch to NFS v4 to strongly authenticate user requests' is not an
option for us. We specifically value things that cannot be done
with true verification of user identification, like cron, and we
don't have and don't want to build the infrastructure that would
be required for strongly authenticated NFS v4.
- cks
[*: Building a NSS module that supports netgroup lookups requires using
an internal glibc header file to get a definition of a struct that
is passed to NSS netgroup lookup functions.
]
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
