Re: [Hampshire] SECURE NFS ROOT ?

Dr A. J. Trickett wrote:
> On Wednesday 04 Mar 2009, Isaac Close wrote:
>> --- On Wed, 4/3/09, Dr A. J. Trickett <adam.trickett@???> wrote:
>>> On Wed, 04 Mar 2009 at 09:52:57AM
>>>> i'm trying to find information about some sort of 'secure'
>>>> NFS-ROOT Filesystem setup. So far, i'm not having much luck.
>>>> I have working NFS-ROOT machines, but as you may already know
>>>> NFS is not encrypted, and i can quite easily intercept packets
>>>> with code of my own.
>>>>
>>>> So, what to do ? Do you know something ?
>>> You can hack NFSv3 to run over some kind of secure tunnel
>>> or VPN.
>> I did think this, although i'll have to add it to the long todo list.
>>
>>> Better still run NFSv4 which is better than NFSv3 anyway
>>> but turn on Kerbose which makes it secure.
>> I trust you mean Kerberos, and that sounds like a positive way forward.
>
> I've had no problem setting up NFSv4 on Debian Etch/Lenny/Squeeze, and I've
> got Kerberos working fine too, however I've had no luck yet in getting NFSv4
> to work with Kerberos... I'd be very interested if hearing how you get on.

Which steps did you go through?

IME it really depends on which principal versions you have extracted.
(certainly on RHEL it does, anyway).

I've had this working - but when you do your ktadd you need to only
extract the des3-cbc-md5 version of the nfs principals for each of your
clients and the server.

You do have NFS and host principals for each machine, extracted on that
machine, correct?
nfs/host.name@REALM
host/host.name@REALM

Regards,

Stuart
--
Stuart Sears RHC*
"It's today!" said Piglet.
"My favourite day," said Pooh.