Secure Network Filesystems for Linux: What are people doing?

Solution 1:

Since it's a specific question (What are you all doing), let's answer it: nothing. Most administrators and users just don't worry about NFS security, so everybody uses NFSv3. It's typically a controlled environment (in the sense that only well-known machines can attach to the network in the first place). If somebody gets caught abusing the infrastructure, they get fired or to jail.

For data that you really don't want anybody to be able to read, you encrypt them explicitly, e.g. Firefox password databases, ssh keys, or pgp keys. You do that because you know the admin could read them on the file server, so network file system security would not be of any help, anyway.

Solution 2:

You seem to be asking two questions here:

What are we actually using? and What does this?

What I'm actually using is CIFS, in my use-cases POSIX is less important so I haven't had any problems. NFS3 is used in areas where security isn't important, such as my SLES install server. And finally, sshfs/gvfs for simple user-land sharing. Wireline encryption is not deemed needed, so that isn't a meaningful factor for us.

As for the other question, there seems to be six main requirements for what you're looking for:

  1. Encrypts traffic on the wire.
  2. Encrypts authentication.
  3. Posix semantics.
  4. Strong enforcement of server-based ACLs.
  5. Is not userland.
  6. Is actually used.

I suspect points 5 and 6 will be the killers here, but here goes (also, this is the point where a table would be really handy, but markdown/StackExchange doesn't support it).

NFSv3 + IPSec

  1. Encrypted on the wire, pass
  2. No encrypted authentication, fail
  3. Posix semantics, pass
  4. No strong enforcement of server-based ACLs, fail
  5. Is not userland, pass
  6. Is actually used, pass

NFSv4 + Krb + IPSec

  1. Encrypted on the wire, pass
  2. Encrypted authentication, pass
  3. Posix semantics, pass
  4. Strong enforcement of server-based ACLs, pass
  5. Is not userland, pass
  6. Is not actually used, fail

CIFS

  1. Not encrypted on the wire, fail
  2. Encrypted authentication
  3. Posix semantics, pass (Samba & Kernel now, Windows has had a Posix layer since the NT days)
  4. Strong enforcement of server-based ACLs, pass
  5. Is not userland, pass
  6. Is actually used, pass

CIFS + IPSec

  1. Encrypted on the wire, pass
  2. Encrypted authentication
  3. Posix semantics, pass (Samba & Kernel now)
  4. Strong enforcement of server-based ACLs, pass
  5. Is not userland, pass
  6. Is not actually used, fail

SSHFS

  1. Encrypted on the wire, pass
  2. Encrypted authentication, pass
  3. Posix semantics, pass
  4. Strong enforcement of server-based ACLs, pass
  5. Is userland, fail
  6. Is actually used, pass

AFP/NetATalk

  1. Encrypted on the wire, fail
  2. Encrypted authentication, pass
  3. Posix semantics, pass
  4. Strong enforcement of server-based ACLs, pass
  5. Is not userland, pass
  6. Is actually used, fail

And I'm not touching the distributed file-systems out there. There simply isn't one single thing that does it all. Some come close (CIFS) and some are already there but no one uses them (NFS4 + IPSec, CIFS+IPSec). For some reason a secure network filesystem is something that has been subjected to a lot of compromises over the years.

Solution 3:

I've been using openafs in production for years, with both Linux and Windows clients. It works great, has an active development community, and has gotten much easier to install and administer over the last few years as the various linux distros have included packaging for it. It has its warts, but I've found that they are offset by more administrative flexibility, the ability to have clients and servers separated by slow links, the ease of offsite backups, and other positive AFSisms.

One thing I like in particular is running production internet-facing web servers on openafs, with the ACLs locked down. Without a kerberos ticket there is no process on the machine -- even one running as root -- that can write to the filesystem. I can't count how many times we've noticed attacks utterly fail because of that simple measure.

There are some pretty large openafs users -- the largest commercial user I know of is Morgan Stanley.