Securing NFSv4 WITHOUT Kerberos on a public cloud?
I've lost enough hair trying to setup this Kerberos nonsense. Is there any way to secure an NFS v4 setup without using Kerberos on a public cloud, i.e:
- all servers have a public IP (there is no internal IP or no VPC)
- only known servers will be allowed to connect to NFS ports via appropriately setting up iptables
- NFS traffic between servers should be ideally encrypted
- all NFS clients are trusted
- any network errors should not cause the client to crash or hang
- all servers are running Ubuntu 18.04.1
server config:
# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.1 LTS"
# uname -a
Linux prod-backoffice 4.15.0-42-generic #45-Ubuntu SMP Thu Nov 15 19:32:57 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Solution 1:
There was an article on linuxjournal how to use stunnel to provide a secure connection between nfs client and server. As NFSv4 uses only a single port, then you have to do it only once.
This article have triggered a new activity in NFSv4 IETF working group and now there is an attempt to standardize such deployments. But this will take some time to implement, test and get deployed on client and servers.