Tunnel nfs v3 over ssh

Not happy with the security properties of nfs? You could run nfs v4. Or you could tunnel nfs v3 over ssh.

Modify your mount_nfs command

You will need the server's file handle, and you will need to be able to mount using this file handle, bypassing portmap and mountd. The modified mount command lets you do both of these things.

mount_nfs41.diff
Patch for OpenBSD 4.1 mount_nfs

nfsmount.diff
Patch for linux nfsmount

Find the server's file handle

Do this on a client that has permission to mount your server. In this OpenBSD example, s1 is your nfs server. The long string of hex digits is the file handle.

# /sbin/mount_nfs -nvT s1:/ /mnt
10.0.0.1:2049:fdddeb5919307f1c3fad6441660c192060e4b3dcc0c30df3c902d534b40cd2d3 s1:/

Linux is similar. Use the "gethandle" option.

Set up the tunnel

In this example, s1 is your nfs server, and s2 is a host that you can ssh to and that is within s1's security perimeter. It may be the same as s1, or it may be on the same relatively secure physical net. It also must have permission (via /etc/exports) to mount s1. "12345" is an arbitrary port number.

% ssh -fN -L 12345:s1:2049 s2

Mount the server

Use a fstab entry like this on OpenBSD:

s1:/ /mnt nfs rw,-3,-T,-h=127.0.0.1:12345:fdddeb5919307f1c3fad6441660c192060e4b3dcc0c30df3c902d534b40cd2d3 0 0

Linux is similar. Use the "handle=" option. You also need the "nolock" option.

Jim Rees