Securing NFSv4 WITHOUT Kerberos on a public cloud?

security nfs nfs4

I've lost enough hair trying to setup this Kerberos nonsense. Is there any way to secure an NFS v4 setup without using Kerberos on a public cloud, i.e:

  • all servers have a public IP (there is no internal IP or no VPC)
  • only known servers will be allowed to connect to NFS ports via appropriately setting up iptables
  • NFS traffic between servers should be ideally encrypted
  • all NFS clients are trusted
  • any network errors should not cause the client to crash or hang
  • all servers are running Ubuntu 18.04.1

server config:

# cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.1 LTS"

# uname -a
Linux prod-backoffice 4.15.0-42-generic #45-Ubuntu SMP Thu Nov 15 19:32:57 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Solution 1:

There was an article on linuxjournal how to use stunnel to provide a secure connection between nfs client and server. As NFSv4 uses only a single port, then you have to do it only once.

This article have triggered a new activity in NFSv4 IETF working group and now there is an attempt to standardize such deployments. But this will take some time to implement, test and get deployed on client and servers.

Related

Ansible webserver backup: pull other host vars to generate backup scripts
SFTP error "Received unexpected end-of-file from SFTP server" on CentOS 6
How to tell if auditd has suspended logging?
How to get virtualenv for compiled python (missing pip/easy_install)?
Does Gladius work with the XBox360?
Online Playing for Age of Empires - Conquerors [duplicate]
Why did many commodore 64 games feature different music than their original Arcade or other computers version? [closed]
DS won't power up
Why does the # mean beside trained units in SC2?
Is it possible to know why we received badges?
Halo Reach Credits custom games
Is there an easy way to select a specific number of one type of unit out of a group?