From owner-freebsd-security Fri Jan 12 10:32:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 213D137B400 for ; Fri, 12 Jan 2001 10:32:11 -0800 (PST) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id LAA14789; Fri, 12 Jan 2001 11:31:59 -0700 (MST) Message-Id: <200101121831.LAA14789@faith.cs.utah.edu> Subject: Re: Encrypted networked filesystem needed To: roman@xpert.com (Roman Shterenzon) Date: Fri, 12 Jan 2001 11:31:59 -0700 (MST) Cc: matrix@ipform.ru (Artem Koutchine), freebsd-security@FreeBSD.ORG In-Reply-To: from "Roman Shterenzon" at Jan 12, 2001 08:22:58 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Actually, let me be a bir more specific about my "You'll like SFS" comment. SFS provides an encrypted _and authenticated_ networked filesystem. With tunneled NFS, you're exporting a fair bit of trust to the remote host to which you're exporting a filesystem (unless you're incredibly agressive about mapping away bad UIDs). Furthermore, the systems must have the same UID:username mappings. With SFS, you get per-user cryptographic authentication remotely, and you can access the machine from any client machine, not just the other end of the encrypted tunnel. So depending on which model you want (NFS like, or more kerberos-like), either ipsec+nfs or SFS would be better. -Dave Lo and behold, Roman Shterenzon once said: > > On Fri, 12 Jan 2001, Artem Koutchine wrote: > > > Hello! > > > > I need a networked filesystem which tranfers files from > > host to host in encrypted manner or can be tunnelled > > over SSL (say, using stunnel). > > > > NFS cannot be tunneled even when run in TCP mode because > > of rpc stuff > > > > I also heard of and have read about AFS and CODA, but it seems > > like they do not support encryption, but maybe they could be tunneled. > > > > Samba CAN be tunnelled but, IMHO, Samba plain > > sux and we use it only for windows boxes which need to access unix > > files. > > > > So, is there a file system which support encryption and can AFS or CODA > > be tunneled? Can AFS and CODA even substitute NFS (in terms of > > functionality and convinices)? > > If IPSec is supported on both sides, it is the best available solution. > You'll get a completely transparent encryption and a powerful NFSv3 > server/client. Did I mention that FreeBSD rocks? > This way all network services will be secured and since the most of IPSec > (AH/ESP) is done in the kernel mode, it'll be quite fast even on > moderate hardware. > > --Roman Shterenzon, UNIX System Administrator and Consultant > [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message