Tue Jan 29 19:11:24 CET 2008
the problem with nfs is that it is security based on physical network
access. i'm trying to figure out some security model so i don't need
to think about it any more.
* nfs is very convenient for playing movies + videos over the network
* nfs is necessary for diskless access (root + home dirs)
how to solve this?
- regard local realm as secure
* physical access: managable = +- same as physical computer access
* logical (VPN): more difficult: VPN keys are then high rank
intermediate solution: no NFS over vpn?
there's no clean cut..
problem is: anything connected through NFS should be regarded as a
single machine. if there's physical access to any part of the machine
(or VPN access) then you're in.
trying sshfs, but this is not so obvious either. looks like it's slow
so these are 2 security models:
* user/key (ssh) based: fairly secure over insecure network
* NFS: needs network level security (network = machine)
maybe best to limit NFS to diskless root (limited) + readonly access
to public data.