The current state of NFS
I used to use NFS back in 2000 - back when we still thought unsecured local services were okay. And I loved it - it was slow, but very useful. So I'd like to start using it again, but I want it secured. Apparently NFSv4 "mandates strong security" (according to Wikipedia): does that mean for authentication, or encryption of files "in flight," or both? And I keep seeing it mentioned with Kerberos: I've been researching Kerberos a bit and that really looks like something I'd rather NOT have to set up. Is it possible to run NFSv4 without Kerberos? Pointers to recent, good tutorials would also be deeply appreciated. I'm using Fedora 27 and Debian (stable or testing) on the clients. You can stomp me if you like for my plan to use a Raspberry Pi as the server - I'm not looking for speed as this will mostly be for backups. I'd probably use Raspbian unless there's a compelling reason to use one of the other Pi distros. Of course if this will really need more memory than the Pi has, that's another issue ... -- Giles https://www.gilesorr.com/ gilesorr@gmail.com
On Thu, Feb 22, 2018 at 03:25:49PM -0500, Giles Orr via talk wrote:
I used to use NFS back in 2000 - back when we still thought unsecured local services were okay. And I loved it - it was slow, but very useful. So I'd like to start using it again, but I want it secured. Apparently NFSv4 "mandates strong security" (according to Wikipedia): does that mean for authentication, or encryption of files "in flight," or both? And I keep seeing it mentioned with Kerberos: I've been researching Kerberos a bit and that really looks like something I'd rather NOT have to set up. Is it possible to run NFSv4 without Kerberos? Pointers to recent, good tutorials would also be deeply appreciated.
I'm using Fedora 27 and Debian (stable or testing) on the clients. You can stomp me if you like for my plan to use a Raspberry Pi as the server - I'm not looking for speed as this will mostly be for backups. I'd probably use Raspbian unless there's a compelling reason to use one of the other Pi distros. Of course if this will really need more memory than the Pi has, that's another issue ...
My understanding of NFSv4 is that it is not NFS. It is something new and complicated that is way beyond what previous NFS versions did. Sure it's called NFS, but it's different. I too looked at it, got to kerberos, and then went the other direction. NFS before v4 were invented at SUN. NFS v4 was done by the IETF. It was based on ideas from AFS and SMB/CIFS. I found something that seems to indicate it is possible to make NFSv4 run without kerberos and all that: https://lists.debian.org/debian-user/2017/10/msg00476.html -- Len Sorensen
If the primary purpose is backup, why not just use Rsync? On Thu, Feb 22, 2018 at 4:33 PM, Lennart Sorensen via talk <talk@gtalug.org> wrote:
On Thu, Feb 22, 2018 at 03:25:49PM -0500, Giles Orr via talk wrote:
I used to use NFS back in 2000 - back when we still thought unsecured local services were okay. And I loved it - it was slow, but very useful. So I'd like to start using it again, but I want it secured. Apparently NFSv4 "mandates strong security" (according to Wikipedia): does that mean for authentication, or encryption of files "in flight," or both? And I keep seeing it mentioned with Kerberos: I've been researching Kerberos a bit and that really looks like something I'd rather NOT have to set up. Is it possible to run NFSv4 without Kerberos? Pointers to recent, good tutorials would also be deeply appreciated.
I'm using Fedora 27 and Debian (stable or testing) on the clients. You can stomp me if you like for my plan to use a Raspberry Pi as the server - I'm not looking for speed as this will mostly be for backups. I'd probably use Raspbian unless there's a compelling reason to use one of the other Pi distros. Of course if this will really need more memory than the Pi has, that's another issue ...
My understanding of NFSv4 is that it is not NFS. It is something new and complicated that is way beyond what previous NFS versions did. Sure it's called NFS, but it's different.
I too looked at it, got to kerberos, and then went the other direction.
NFS before v4 were invented at SUN. NFS v4 was done by the IETF. It was based on ideas from AFS and SMB/CIFS.
I found something that seems to indicate it is possible to make NFSv4 run without kerberos and all that: https://lists.debian.org/debian-user/2017/10/msg00476.html
-- Len Sorensen --- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
On Thu, 22 Feb 2018, Lennart Sorensen via talk wrote:
My understanding of NFSv4 is that it is not NFS. It is something new and complicated that is way beyond what previous NFS versions did. Sure it's called NFS, but it's different.
It is quite different but since NFS 4.1 it has looked the same at least. I'm able to switch between NFS & NFS4 in /etc/fstab and remount filesystems using a different version of the protocol. I've had to do this for debugging a few times.
I found something that seems to indicate it is possible to make NFSv4 run without kerberos and all that: https://lists.debian.org/debian-user/2017/10/msg00476.html
I've run 4.1 without Kerberos for years. Rob
After a bit more research and thought, It seems that NFS without Kerberos isn't secure, and I'm not implementing Kerberos - so I'm not implementing NFS. I was already part way to the hinted at and directly proposed solution: rsync-over-ssh for backup, and Read-Only SMB for media sharing. NFS would be more elegant, but without proper security its not acceptable to me for my private files. Thanks to everyone for the responses: it helped me figure out what I wanted to do. On 26 February 2018 at 04:05, Robert Brockway via talk <talk@gtalug.org> wrote:
On Thu, 22 Feb 2018, Lennart Sorensen via talk wrote:
My understanding of NFSv4 is that it is not NFS. It is something new
and complicated that is way beyond what previous NFS versions did. Sure it's called NFS, but it's different.
It is quite different but since NFS 4.1 it has looked the same at least. I'm able to switch between NFS & NFS4 in /etc/fstab and remount filesystems using a different version of the protocol. I've had to do this for debugging a few times.
I found something that seems to indicate it is possible to make NFSv4
run without kerberos and all that: https://lists.debian.org/debian-user/2017/10/msg00476.html
I've run 4.1 without Kerberos for years.
-- Giles https://www.gilesorr.com/ gilesorr@gmail.com
On 03/01/2018 10:15 PM, Giles Orr via talk wrote:
After a bit more research and thought, It seems that NFS without Kerberos isn't secure, and I'm not implementing Kerberos - so I'm not implementing NFS. I was already part way to the hinted at and directly proposed solution: rsync-over-ssh for backup, and Read-Only SMB for media sharing. NFS would be more elegant, but without proper security its not acceptable to me for my private files.
Thanks to everyone for the responses: it helped me figure out what I wanted to do.
This is a bit of an extreme position to take. If your CSE operating in a Tempest building then there may be reason to not have any unencrypted data on your network but most home networks run the preponderance of their traffic unencrypted. If your that concerned about your private files then you need to be backing them up to directly connected hardware. If your looking for a network file system that supports network encryption take a look at Gluster. It can be used in a mode where there is no cluster of systems and no replication on a single server. Its kind of a waste of all its features but it will work. -- Alvin Starr || land: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
Hi Giles, My experience with NFS has been entirely different, for me it was a simple fast system, that's faster than SAMBA and SSH, that let me copy files over a network where the speed limitation would be either hard drive throughput or a network card speed (if it were 100Mbps link). From the replies above it looks like NFSv4 is a completely different beast and it in your scenario it wouldn't really make sense to use it over SSH, so I'm going to discuss trade-offs of NFSv3 vs SSH. The limitations of Raspberry Pi is that it's got only 100Mbps Ethernet port and that it's doesn't have a lot of hardware for encryption compared to x86 CPU, you would be limited to about 2-3MBps transfer rate over SSH and you might be able to achieve about 10-12MBps transfer rate over NFS. This is all depends on how big the backup files are -- if they are about 20MB each than there's no point in setting up NFS, if they are about 1GB each, than what you can do is to encrypt the files using GPG on the server where they are being backed up and then transfer them to an unsecured NFS share on Raspberry Pi when they then would be further processed and moved off the share. I'm assuming for Raspberry Pi you would use an external USB hard drive for storage, you could also increase networks speed to about 400Mbps if you use USB2 to Ethernet Gigabit network adapter, which could be bought for about $20-$40. Alex. On 02/22/18 15:25, Giles Orr via talk wrote:
I used to use NFS back in 2000 - back when we still thought unsecured local services were okay. And I loved it - it was slow, but very useful. So I'd like to start using it again, but I want it secured. Apparently NFSv4 "mandates strong security" (according to Wikipedia): does that mean for authentication, or encryption of files "in flight," or both? And I keep seeing it mentioned with Kerberos: I've been researching Kerberos a bit and that really looks like something I'd rather NOT have to set up. Is it possible to run NFSv4 without Kerberos? Pointers to recent, good tutorials would also be deeply appreciated.
I'm using Fedora 27 and Debian (stable or testing) on the clients. You can stomp me if you like for my plan to use a Raspberry Pi as the server - I'm not looking for speed as this will mostly be for backups. I'd probably use Raspbian unless there's a compelling reason to use one of the other Pi distros. Of course if this will really need more memory than the Pi has, that's another issue ...
-- Giles https://www.gilesorr.com/ gilesorr@gmail.com <mailto:gilesorr@gmail.com>
--- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
If your network is secure then you could use something like tar and netcat instead of ssh to avoid the crypto penalty. I believe that rsync when run in server mode does not do encryption. On 02/23/2018 10:30 AM, Alex Volkov via talk wrote:
Hi Giles,
My experience with NFS has been entirely different, for me it was a simple fast system, that's faster than SAMBA and SSH, that let me copy files over a network where the speed limitation would be either hard drive throughput or a network card speed (if it were 100Mbps link). From the replies above it looks like NFSv4 is a completely different beast and it in your scenario it wouldn't really make sense to use it over SSH, so I'm going to discuss trade-offs of NFSv3 vs SSH.
The limitations of Raspberry Pi is that it's got only 100Mbps Ethernet port and that it's doesn't have a lot of hardware for encryption compared to x86 CPU, you would be limited to about 2-3MBps transfer rate over SSH and you might be able to achieve about 10-12MBps transfer rate over NFS. This is all depends on how big the backup files are -- if they are about 20MB each than there's no point in setting up NFS, if they are about 1GB each, than what you can do is to encrypt the files using GPG on the server where they are being backed up and then transfer them to an unsecured NFS share on Raspberry Pi when they then would be further processed and moved off the share.
I'm assuming for Raspberry Pi you would use an external USB hard drive for storage, you could also increase networks speed to about 400Mbps if you use USB2 to Ethernet Gigabit network adapter, which could be bought for about $20-$40.
Alex.
On 02/22/18 15:25, Giles Orr via talk wrote:
I used to use NFS back in 2000 - back when we still thought unsecured local services were okay. And I loved it - it was slow, but very useful. So I'd like to start using it again, but I want it secured. Apparently NFSv4 "mandates strong security" (according to Wikipedia): does that mean for authentication, or encryption of files "in flight," or both? And I keep seeing it mentioned with Kerberos: I've been researching Kerberos a bit and that really looks like something I'd rather NOT have to set up. Is it possible to run NFSv4 without Kerberos? Pointers to recent, good tutorials would also be deeply appreciated.
I'm using Fedora 27 and Debian (stable or testing) on the clients. You can stomp me if you like for my plan to use a Raspberry Pi as the server - I'm not looking for speed as this will mostly be for backups. I'd probably use Raspbian unless there's a compelling reason to use one of the other Pi distros. Of course if this will really need more memory than the Pi has, that's another issue ...
-- Giles https://www.gilesorr.com/ gilesorr@gmail.com <mailto:gilesorr@gmail.com>
--- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
--- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
-- Alvin Starr || land: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
Giles Orr via talk wrote:
I used to use NFS back in 2000 - back when we still thought unsecured local services were okay. And I loved it - it was slow, but very useful. So I'd like to start using it again, but I want it secured. ...
You might want to look at sshfs instead. This is a nifty thing that uses SSH, SFTP, and FUSE to let you mount storage from a remote box that you have SSH access to. Linux even lets non-root users do this in a way that makes the mount not exist for any other user. And since any user can look at the man page and just do it, there's far less hassle for the sysadmin to set up. And you don't have to open any new holes besides the already-well-tested SSH daemon.
... Is it possible to run NFSv4 without Kerberos? Pointers to recent, good tutorials would also be deeply appreciated.
My legacy uses of NFS are down to non-secret data that anyone on the LAN can mount read-only. Far easier that way, both to set up and to sleep at night.
I'm using Fedora 27 and Debian (stable or testing) on the clients. You can stomp me if you like for my plan to use a Raspberry Pi as the server - I'm not looking for speed as this will mostly be for backups. ...
For backups of files that change rarely, rsync is a huge win; run it over SSH for private files. For the sort of data I publish on NFS, I usually also run rsync in server mode to help with the backups. Depending on the relative speeds of CPU, storage, and network, crypto overhead can be free or it can be what throttles bandwidth. Tools like htop, iotop, and iftop can tell you what's happening. -- Anthony de Boer
On Sat, Feb 24, 2018 at 10:50 AM, Anthony de Boer via talk <talk@gtalug.org> wrote:
Giles Orr via talk wrote:
I used to use NFS back in 2000 - back when we still thought unsecured local services were okay. And I loved it - it was slow, but very useful. So I'd like to start using it again, but I want it secured. ...
You might want to look at sshfs instead. This is a nifty thing that uses SSH, SFTP, and FUSE to let you mount storage from a remote box that you have SSH access to. Linux even lets non-root users do this in a way that makes the mount not exist for any other user. And since any user can look at the man page and just do it, there's far less hassle for the sysadmin to set up. And you don't have to open any new holes besides the already-well-tested SSH daemon.
I've used sshfs for a few years, and it's wonderful -- I can edit (what appears to be) locally, and Everything Just Works. Use sshfs user@domain:/path/to/Directory local_mountpoint to connect, and fusermount -u local_mountpoint to disconnect. -- Alex Beamish Software Developer / https://ca.linkedin.com/in/alex-beamish-5111ba3 Speaker Wrangler, Toronto Perlmongers / http://to.pm.org/ Baritone, Board Member, Toronto Northern Lights, 2013 Champions / www.northernlightschorus.com Certified Contest Administrator, Barbershop Harmony Society / www.barbershop.org
participants (8)
-
Alex Beamish -
Alex Volkov -
Alvin Starr -
Ansar Mohammed -
Anthony de Boer -
Giles Orr -
lsorense@csclub.uwaterloo.ca -
Robert Brockway