Ssh – Securing NFS against SSH tunneling

nfssshssh-tunnel

I was idly reading http://nfs.sourceforge.net/nfs-howto/ar01s06.html trying to understand why localhost exports were bad when I got to the section "6.4. Tunneling NFS Through SSH". Everything in that section about it being a possible security vulnerability to export localhost because it allows others to ssh port forward in and access the share made sense.

Here's my question, how does one keep ssh tunnels from undermining the security of a system if users can ssh in to a machine that can connect to an NFS server? For instance imagine computers A(192.168.1.1), B(192.168.1.2) and C(192.168.1.3). Let A be the server with the following export file:

/home 192.168.1.2(rw)

As you can see A is giving B permission to use the /home share. Now, let C ssh into B with:

$ ssh 192.168.1.2 -L 250:192.168.1.1:2049  -f sleep 60m
$ ssh 192.168.1.2 -L 251:192.168.1.1:32767 -f sleep 60m

It would seem that A's shares exported to B are vulnerable to anyone that can ssh into B. Is this the case? Is there a way to protect against this other than simply making sure anyone that can log into B is a very trusted user?

Best Answer

That's a very old document your looking at it talks about kernel version 2.4 which came out in 2001, a lot have changes have happened in the last 12 years. Although some things remain the same.

I only have CentOS 6.x boxes to play with which uses nfsv4 by default. To allow the connection via an intermediate machine I had to export the filesystem with insecure set.

So to answer your question use nfsv4 and use the default secure mode. If you have sufficient privilege on B you can also set

AllowTcpForwarding no

in it's /etc/ssh/sshd_config.

As ever though with security if you give people privilege, you have to trust them.

Related Solutions

Ubuntu – How to VNC using a SSH Tunnel from one Ubuntu box into another

Enter in all the connection information on the main putty screen. Sounds like you will be using port 443 instead of 22 to connect from the outside. Then go to the Tunnels section and put in 5092 for the Source port. Put in localhost:5900 for the destination. Leave the radio buttons to Local and Auto. Click Add so it shows up in the list and then open up the connection

putty port forward config

When you open up the connection, you will have access to "localhost:5900" from the perspective of the server. You can access it from your local port 5092.

To connect to the server using vnc, plug in localhost:5092 for the host. enter image description here

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Best Answer

Related Solutions

Ubuntu – How to VNC using a SSH Tunnel from one Ubuntu box into another

Ssh – How to automate SSH login with password

Related Topic