Securing NFS in a Teaching Laboratory environment

The Network File System (NFS) (aka No File Security) is a popular Unix File sharing system developed by Sun Microsystems. Classic NFS relies on the servers trusting authentication information based on the IP addresses of the clients to implement file access control. In a teaching lab environment (and many others), it is relatively easy to fake IP numbers and hence subvert NFS's authentication mechanisms.

We desired a situation in which Linux workstations in a teaching lab could mount users' home directories from existing Sun Solaris NFS servers in a secure way. Furthermore, we required students to have root access on the Linux workstations whilst mounting their own home directories from the file servers without subverting the file security.

Our solution involves a combination of source Network Address Translation (NAT, or IP-Masquerading), a kernel IPTables filter module and an SSL connection along with an appropriate Pluggable Authentication Module (PAM). The solution requires no modifications to the Sun Solaris servers at all. The system has been tested under load in a hostile environment for one and a half semesters so far with no known compromises.