Hacker News new | past | comments | ask | show | jobs | submit login
Demystifying Secure NFS (blogsystem5.substack.com)
5 points by jmmv 6 months ago | hide | past | favorite | 4 comments



In 2018, I wrote an article on pushing NFSv4 through stunnel, resulting in NFS over TLS. Emails between NFS kernel developers indicate that this is much faster than Kerberos, and the RSA key setup that I published was adopted in RFC-9289 (which I assume also addresses the performance issue).

https://www.linuxjournal.com/content/encrypting-nfsv4-stunne...

Edit: Some time after I published, one of the RFC authors outlined the NFS architectural changes in a blog post.

https://blogs.oracle.com/linux/post/encrypting-nfs-data-on-t...


Original author here. I wrote this article because I have set up NFSv4 with Kerberos twice so far and, both times, I ended up with a functional system but… very frustrated by how difficult and fragile everything seems.

That said, I still have a bunch of unanswered questions (all listed at the bottom of the article) and I suspect that some of you folks might have some insightful answers or corrections… hence why I’m submitting the article myself. If you do have any of those insights, please share here or there. And thanks!


Thank you for writing about NFS.

> Yet, when you look around, people say “oh, but NFSv3 is fine if you trust the network!” But seriously, who trusts the network in this day and age?

My understanding is in the last 5-10 years we got a bit of trust back in the network through the return of the VPN with WireGuard, Tailscale, ZeroTier & co.

Because Kerberos and those VPN are doing a bit the same thing: authenticating hosts and encrypting communications.

I am unfamiliar with NFS but it seems to me for fine grain control the ideal would be able to map hosts on the network to users in NFS. Could we do that?


Setting up a VPN between exclusively two machines would do the trick mostly. Note, however, that if a malicious user compromised the client, they'd still get unfettered access to the whole file system of the server -- whereas with NFSv4, they'd only get access to the files accessible by the Kerberos principal of the client.

Also, when I wrote this, I was thinking about the use case of a home network: running a VPN within such a network sounds really strange, but such a network is full of less-than-trustable IoT devices and the like.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: