# More secure alternatives for NFS

## nielchiano

Hi,

I currently use NFS to have the home-directories spread around the network.

However, I don't like the way NFS handles "security".

I'm looking for a more secure alternative than NFS. One that does NOT thrust the the machines by just their IP.

What are the pro's / con's for some alternatives? I heard about shfs, but I think that I'd have to patch my kernel for that?

I also heard of AFS. Kernel support is already default (in 2.6.7 at least), but I guess I need to have a Kerberos server.

Are there any other alternatives; what are the pros/cons of these items. Are they really as secure as they pretend?

----------

## codergeek42

shfs is relatively simple:

```
# emerge shfs

$ mount -t shfs user@host:/path/to/dir /place/to/mount
```

In fact, I use it on a regular basis to transfer things to/from my SourceForge.net project hosting.  :Smile: 

----------

## cweilema

 *codergeek42 wrote:*   

> shfs is relatively simple:
> 
> ```
> # emerge shfs
> 
> ...

 

I've looked at a ton of NFS security threads here, and after reading this, I guess my question now is would you say that shfs would be good for a college campus network where I have two computers and want to use one as a backup for my main computer?

If not, can you suggest an alternative or point me to a thread I might have overlooked?    :Wink: 

-Chris

----------

## depontius

 *cweilema wrote:*   

>  *codergeek42 wrote:*   shfs is relatively simple:
> 
> ```
> # emerge shfs
> 
> ...

 

Actually, it looks to me as if shfs would be very good for a college campus. I think of college campus networks as some of the worst security environments around. Using ssh as the transport layer sounds good, since it's designed specifically for security. I suspect you will give up some performance for this, but IMHO it's a good tradeoff on a campus network.

On a slightly different line, Does anyone know the status of nfsV4 under Gentoo? I know nfsV4 is generally not finished, but whenever I build a kernel, I see the client and server options there. Last time I looked on the portage database, I didn't see userland tools for nfsV4. From what I understand, nfsV4 would address security concerns, and have good performance.

----------

## nielchiano

 *cweilema wrote:*   

> a college campus network where I have two computers and want to use one as a backup for my main computer?

 

Depends on what you mean by backup. I have that kind of setup and I simply use the following:

call the computers A en B.

on A: 

```
tar jcv / | ssh -i key name@B "cat > backup-file.tar.bz2"
```

To have it work you'll need to set up SSH-key's, but that isn't hard.

This doesn't give you file-system-mount, but the backups will come over!

----------

## cweilema

 *nielchiano wrote:*   

>  *cweilema wrote:*   a college campus network where I have two computers and want to use one as a backup for my main computer? 
> 
> Depends on what you mean by backup. I have that kind of setup and I simply use the following:
> 
> call the computers A en B.
> ...

 

I think you're pretty close to what I'm looking for.  Basically, I want to back up my /home/ and /etc/ directories to a remote computer (the second box).  I've looked up tutorials, but haven't found any that really meet my needs.  Do you have any suggestions?

-Chris

----------

## nulltensor

 *Quote:*   

> I think you're pretty close to what I'm looking for. Basically, I want to back up my /home/ and /etc/ directories to a remote computer (the second box). I've looked up tutorials, but haven't found any that really meet my needs. Do you have any suggestions?
> 
> -Chris

 

Are you looking to just mirror the /home and /etc directories?  If so that can be done via

```
tar jcv /etc /home | ssh -i key name@B "tar jxf -"
```

Not as elegant as rsync over ssh though

```
rsync -avz -e "ssh -i key" name@B:/backup/etc /etc

rsync -avz -e "ssh -i key" name@B:/backup/home /home

 
```

----------

## nielchiano

rsync doesn't compress and make nice archives;

but tar doesn't mirror...

so depending on what you want, both might be a solution

You could also do a mirror+snapshot: Keep the last n mirrors. This can be done using hard-links and takes almost no space:

```
cd /backup/dir/

rm -rf backup.5

mv backup.4 backup.5

...

mv backup.0 backup.1

cp -al backup.1 backup.0

#rsync over the changes
```

----------

## cweilema

 *nielchiano wrote:*   

> rsync doesn't compress and make nice archives;
> 
> but tar doesn't mirror...
> 
> so depending on what you want, both might be a solution
> ...

 

Basically what I'm looking for is to create a /backup/ folder on the computer, and I want an <b>exact</b> copy of /home/ and /etc/, not compressed...  Just as is...  But, I also want this to be done as a cron job...  I can see how I would do it using rsync, but I guess I'm not seeing how I get around having to enter a password.  Unless I'm completely confused.

Sorry for the noob questions, but thanks for the help!   :Very Happy: 

-Chris

----------

## nielchiano

rsync or tar doesn't matter for this; the problem you have is: to make an ssh-connection ssh requires a password.

There is an easy way around it; but a bit less secure: using keys.

http://www.phy.bnl.gov/computing/gateway/ssh-agent.html

usualy you encrypt your key with a password; but for this purpose you shouldn't!

So in the guide you MUST leave the password empty!

This is a possible security flaw: everyone which can access that key-file can impersonate you on the target machine!!! so make sure it's mode 400 owned by root:root or something similar

----------

## cweilema

 *nielchiano wrote:*   

> rsync or tar doesn't matter for this; the problem you have is: to make an ssh-connection ssh requires a password.
> 
> There is an easy way around it; but a bit less secure: using keys.
> 
> http://www.phy.bnl.gov/computing/gateway/ssh-agent.html
> ...

 

Thanks for the link, seems like that would work.  But, I'm wondering, is it possible to have a script that could be set rwx------ in my home directory (or elsewhere) that could give a simple password for a "backup" user on the other computer?  Meaning, could I what was discussed above, yet still use a passphrase?

-Chris

----------

## nielchiano

 *cweilema wrote:*   

>  *nielchiano wrote:*   rsync or tar doesn't matter for this; the problem you have is: to make an ssh-connection ssh requires a password.
> 
> There is an easy way around it; but a bit less secure: using keys.
> 
> http://www.phy.bnl.gov/computing/gateway/ssh-agent.html
> ...

 

I don't see the difference between the two...you use a RSA/DSA key to authenticate. that key is in a file which should be set 400 of 600 or something secure enough for youyou authenticate using a password which you store in a file with adequate security

both store the "secret" thing in a file; only the first way is widely supported, while the second is kind-of a "dirty" patch

----------

## cweilema

Okay, I have something that works, but I'm wondering if you could tell me if what I'm doing is a good thing to do...  For this example, I'll use "A" as my main computer and "B"  for the computer I am backing up to...

I created a script called "backup" on A in /usr/local/sbin/, chmod 700, containing:

```

#!/bin/bash

if [ -a /backup/*.tar.gz ]

then

        exit

else

        tar -czpf /backup/etc.tar.gz /etc && \

        tar -czpf /backup/school.tar.gz /school/work/

        chmod 600 /backup/*.tar.gz && \

        rsync -avz -e "ssh -i /root/.ssh/id_rsa" /backup/* B:/backup/

fi

```

I also created a passphrase-less SSH key on A... Then:

```

root@A $ scp id_rsa.pub B:~/.ssh/authorized_keys

root@A $ rm ~/.ssh/id_rsa.pub

root@A $ chmod 400 ~/.ssh/id_rsa

```

Then, on B...

```

root@B $ chmod 400 ~/.ssh/authorized_keys
```

I tested the script and it works, but it takes forever to rsync...  Only at about 16 KB/sec.  I'm going through a hub, so I'm wondering if I have collisions.

-Chris

----------

## nielchiano

the -z flag for rsync is useless: you can't zip already zipped data, so it might be that your computer is trying realy hard to compress uncompressible data...

but why not directly back up to the remote machine? do you want to keep it localy as well?

and why use rsync, and not just scp?

----------

## cweilema

 *nielchiano wrote:*   

> the -z flag for rsync is useless: you can't zip already zipped data, so it might be that your computer is trying realy hard to compress uncompressible data...

 

Hmm... Good point.   :Wink: 

 *Quote:*   

>  but why not directly back up to the remote machine? do you want to keep it localy as well?
> 
> and why use rsync, and not just scp? 

 

So, would you change the "rsync" command to be an "scp" with the same ssh key, or is there more to it than that?  And you'd also "rm" the tar files from the local machine once everything is complete?

-Chris

----------

## nielchiano

 *cweilema wrote:*   

>  *Quote:*    but why not directly back up to the remote machine? do you want to keep it localy as well?
> 
> and why use rsync, and not just scp?  
> 
> So, would you change the "rsync" command to be an "scp" with the same ssh key, or is there more to it than that?  And you'd also "rm" the tar files from the local machine once everything is complete?
> ...

 

Yep, just change it to scp with the same key.

weather or not to rm the files is up to you. If you want to keep the backup localy as wel, then do so.

My backups are for the case that my HDD fails; so having a local backup is useless (since it will be gone, together with the HDD)

----------

