3

I've lost enough hair trying to setup this Kerberos nonsense. Is there any way to secure an NFS v4 setup without using Kerberos on a public cloud, i.e:

  • all servers have a public IP (there is no internal IP or no VPC)
  • only known servers will be allowed to connect to NFS ports via appropriately setting up iptables
  • NFS traffic between servers should be ideally encrypted
  • all NFS clients are trusted
  • any network errors should not cause the client to crash or hang
  • all servers are running Ubuntu 18.04.1

server config:

# cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.1 LTS"

# uname -a
Linux prod-backoffice 4.15.0-42-generic #45-Ubuntu SMP Thu Nov 15 19:32:57 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Saurabh Nanda
  • 489
  • 1
  • 8
  • 20
  • Native encryption in NFSv4 requires Kerberos as far as I know, but you can of course apply transport security at a different level with for instance IPSEC or [stunnel](https://www.linuxjournal.com/content/encrypting-nfsv4-stunnel-tls) – HBruijn Feb 14 '19 at 12:56
  • @HBruijn is ipsec recommended for a use in publics/shared cloud environment? is it stable enough? or will it cause weird bugs at the kernel level? – Saurabh Nanda Feb 14 '19 at 13:12

1 Answers1

2

There was an article on linuxjournal how to use stunnel to provide a secure connection between nfs client and server. As NFSv4 uses only a single port, then you have to do it only once.

This article have triggered a new activity in NFSv4 IETF working group and now there is an attempt to standardize such deployments. But this will take some time to implement, test and get deployed on client and servers.

kofemann
  • 4,626
  • 1
  • 25
  • 30