installing nfs server to work on a ssh tunnel
TRANSCRIPT
-
8/6/2019 Installing NFS Server to Work on a SSH Tunnel
1/3
Installing NFS server to work on a SSH Tunnel
The goal of this howto is building a NFS server that works on a SSH tunnel. This way all traffic
between your hosts and the file server is encrypted and thus more secure :)
Normally you should enter a password every time you try to establish a SSH connection but since we
could be mounting at bootup we will use ssh-keygen to create a keypair so we can login without
entering a password. We will, however, limit that login session to executing just 1 command ;)
We will use a new clean Debian Sarge install to begin with.
In this howto I will use the fictional domain "linux.lan".
Installing Software
We will start with the NFS server.
apt-get -y install nfs-kernel-server
First configure it to run on fixed ports, this will make building a firewall much easier but equally
important it aids in simpler client mounts.
echo "STATDOPTS=--port 2231" > /etc/default/nfs-common
echo "options lockd nlm_udpport=2232 nlm_tcpport=2232" >> /etc/modules.conf echo "RPCNFSDCOUNT=8 RPCMOUNTDOPTS='-p 2233'" > /etc/default/nfs-kernel-server
Thats it, now we can use port 2233 later on when we mount the shares :) check if it worked with
rpcinfo -p. If nlockmgr still uses random ports it is a compiled in setting. Configure this in grub/lilo as
kernel parameters:
"lockd.udpport=2232 lockd.tcpport=2232".
Create a new user called sleeper to use for setting up the ssh tunnel from other hosts. We will
generate a key for this account so you can login with a keyfile instead of typing your password
everytime. The account will also be restricted to execute 'sleep' trough this way. Other commands will
simply fail.
adduser sleeper su sleeper
-
8/6/2019 Installing NFS Server to Work on a SSH Tunnel
2/3
Now switch over to a client that will use our fileserver.
First we need a key:
ssh-keygen -t rsa -b 2048
(use defaults and NO passphrase!)
Now copy the .pub file to the homedir of sleeper on the server:
scp -P 12345 ~/.ssh/id_rsa.pub [email protected]:~/
Now back to the server: As the 'sleeper' user we need to configure/install the key:
mkdir ~/.sshcd ~/.sshmv ../id_rsa.pub ./id_rsa.pubcat id_rsa.pub >> authorized_keyschmod 600 authorized_keys
Add this to the beginning of authorized_keys (before ssh-rsa [...]):
client="client.linux.lan",command="/bin/sleep 600d"
substitute "client" with the correct hostname of your client, or use ip numbers.(but make sure every entry stays on 1 line!)
Every client that needs access to the fileserver needs to store his security data (from the id_rsa.pub
file) in the authorized_keys file, so you should repeat this for every host.
M ounting NFS over SSH on your clients
Issue these commands to start the tunnels for nfs and mountd:
(syntax: ssh -f -c encyption -L localport:nfsserver:nfsport -l username nfsserver remotecommand)
Also note that the portnumber for mountd is different with every restart of the NFS server... Keep thatin mind.
ssh -f -i /root/.ssh/id_rsa -c blowfish -L 61001:10.0.0.241:2049 -l sleeper 10.0.0.241sleep 600d
-
8/6/2019 Installing NFS Server to Work on a SSH Tunnel
3/3
ssh -f -i /root/.ssh/id_rsa -c blowfish -L 62001:10.0.0.241:2233 -l sleeper 10.0.0.241sleep 600d
This creates a connection that will stay alive for almost 2 years... :)
Now edit your fstab and mount:
echo "localhost:/export/data /mnt nfstcp,rsize=8192,wsize=8192,intr,rw,bg,nosuid,port=61001,mountport=62001,noauto" >> /etc/fstab mount /mnt
Ofcourse we need some mountable folders (shares) defined on the NFS server:
mkdir /exportmkdir /export/data
mkdir /export/www-virtualmkdir /export/www-conf mkdir /export/mail-virtualmkdir /export/mail-conf
Add them to /etc/exports:
/home/export/data 10.0.0.241(rw,root_squash,sync)
Notice the ip address is the nfs server itself? Its because youll mount them from localhost when you
have established the ssh tunnel.
Some security settings since we dont want anyone from outside our network to access the server:
echo "portmap: ALL" > /etc/hosts.deny echo "portmap: 10.0.0.0/255.255.255.0" > /etc/hosts.allow