Date: Fri, 12 Jan 2001 11:31:59 -0700 (MST) From: "David G. Andersen" <dga@pobox.com> To: roman@xpert.com (Roman Shterenzon) Cc: matrix@ipform.ru (Artem Koutchine), freebsd-security@FreeBSD.ORG Subject: Re: Encrypted networked filesystem needed Message-ID: <200101121831.LAA14789@faith.cs.utah.edu> In-Reply-To: <Pine.LNX.4.30.0101122013350.25136-100000@jamus.xpert.com> from "Roman Shterenzon" at Jan 12, 2001 08:22:58 PM
next in thread | previous in thread | raw e-mail | index | archive | help
Actually, let me be a bir more specific about my "You'll like
SFS" comment.
SFS provides an encrypted _and authenticated_ networked
filesystem. With tunneled NFS, you're exporting a fair bit of trust to
the remote host to which you're exporting a filesystem (unless you're
incredibly agressive about mapping away bad UIDs). Furthermore, the
systems must have the same UID:username mappings. With SFS, you get
per-user cryptographic authentication remotely, and you can access the
machine from any client machine, not just the other end of the encrypted
tunnel.
So depending on which model you want (NFS like, or more kerberos-like),
either ipsec+nfs or SFS would be better.
-Dave
Lo and behold, Roman Shterenzon once said:
>
> On Fri, 12 Jan 2001, Artem Koutchine wrote:
>
> > Hello!
> >
> > I need a networked filesystem which tranfers files from
> > host to host in encrypted manner or can be tunnelled
> > over SSL (say, using stunnel).
> >
> > NFS cannot be tunneled even when run in TCP mode because
> > of rpc stuff
> >
> > I also heard of and have read about AFS and CODA, but it seems
> > like they do not support encryption, but maybe they could be tunneled.
> >
> > Samba CAN be tunnelled but, IMHO, Samba plain
> > sux and we use it only for windows boxes which need to access unix
> > files.
> >
> > So, is there a file system which support encryption and can AFS or CODA
> > be tunneled? Can AFS and CODA even substitute NFS (in terms of
> > functionality and convinices)?
>
> If IPSec is supported on both sides, it is the best available solution.
> You'll get a completely transparent encryption and a powerful NFSv3
> server/client. Did I mention that FreeBSD rocks?
> This way all network services will be secured and since the most of IPSec
> (AH/ESP) is done in the kernel mode, it'll be quite fast even on
> moderate hardware.
>
> --Roman Shterenzon, UNIX System Administrator and Consultant
> [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ]
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
--
work: dga@lcs.mit.edu me: dga@pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101121831.LAA14789>