• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    How to secure postinstall/postdownload/sysprep scripts folder (NFS) ?

    Scheduled Pinned Locked Moved
    FOG Problems
    3
    11
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Florent
      last edited by Florent

      Hello,
      How to secure postinstall/postdownload/sysprep scripts folder (NFS) ?
      Because, everything that is in /images/postdownloadscripts is accessible by everyone with NFS (on Windows 10 for example).
      Have you best practice to protect this ?
      Or possible to restrict access only to FOSS (the linux pxe loaded) ?

      Florent
      Bretagne, FRANCE

      JunkhackerJ 1 Reply Last reply Reply Quote 0
      • JunkhackerJ
        Junkhacker Developer @Florent
        last edited by

        @florent securing fog has always been one of the biggest challenges. there isn’t a good way to secure postdownloadscripts while still allowing them to be accessible by FOSS. what could be done if you have anything requiring some level of security would be for the script to not actually be what you need done, but a reference to an external source for what you need. a https address for example. the files you’re serving up from that source could be secured and access restricted based on what the FOSS knows or the FOG server knows (i.e. host with this ID in the system and an active imaging task is allowed download access)

        signature:
        Junkhacker
        We are here to help you. If you are unresponsive to our questions, don't expect us to be responsive to yours.

        F 1 Reply Last reply Reply Quote 0
        • F
          Florent @Junkhacker
          last edited by

          @junkhacker Hello, thanks for your answer.
          It would be nice if in the future next version we can have this kind of functionnality.
          I thought too for example a certificate on the FOSS and only FOSS can access this folder(s), but i don’t know how i can do this

          Florent
          Bretagne, FRANCE

          george1421G 1 Reply Last reply Reply Quote 0
          • george1421G
            george1421 Moderator @Florent
            last edited by

            @florent I have been working on adding NFSv4 to FOG. NFSv4 consolidates all of the NFSv3 ports into a single communication port 2049.

            As part of a side project of NFSv4 I’ve been testing stunnel to send encrypted traffic between FOS Linux and the FOG server. While it works, I’m not happy with the file transfer performance and CPU load it places on both the FOG server and target computer. On my home lab (small server is Dell 910 running proxmox) I get ~41MB/s transfer rate using stunnel and ~119MB/s with just NFSv4. That is quite a performance impact and probably not a good choice. I used the small proxmox server to make poor performance more visible.

            If we step back to nfsv4 and that single port. It is possible to move that NFS port to a different port number (i.e. 32049) and then program FOS Linux to use that port number for communication with the FOG server. This method will work and give you minimal security through obscurity (doing some out of the normal to simply defeat standard communication.) This will thus hide the fog file share from users that might have NFS loaded on their computer.

            For true NFS security we need to look at a kerberos security framework for FOG. That would keep the standard NFS performance with added security. Right now I don’t know if FOS Linux (the program that runs on the target computer) can support a kerberos infrastructure for NFS authentication.

            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

            JunkhackerJ F 2 Replies Last reply Reply Quote 0
            • JunkhackerJ
              Junkhacker Developer @george1421
              last edited by

              @george1421 i have had in the past fog working without NFS completely (for downloads. uploading images to fog still required NFS, but that’s easier to lock down since you can limit access by IP or whatever for your image source machine)

              if there’s any interest, i have ideas on how to re-implement fogtorrent (fog imaging using bit-torrent) though my time to participate in it’s developent (and skill level) are limited/

              signature:
              Junkhacker
              We are here to help you. If you are unresponsive to our questions, don't expect us to be responsive to yours.

              F 1 Reply Last reply Reply Quote 0
              • F
                Florent @george1421
                last edited by

                @george1421 In the next FOG version it will be NFSv4 ?

                Florent
                Bretagne, FRANCE

                george1421G 1 Reply Last reply Reply Quote 0
                • F
                  Florent @Junkhacker
                  last edited by

                  @junkhacker Limit access by IP is not sufficient for my case, Because users can access in the NFS xith their windows

                  Florent
                  Bretagne, FRANCE

                  JunkhackerJ 1 Reply Last reply Reply Quote 0
                  • JunkhackerJ
                    Junkhacker Developer @Florent
                    last edited by

                    @florent in my alternate setup, only the machine you use to upload images to fog would need NFS enabled. the hosts you deploy to would not.

                    signature:
                    Junkhacker
                    We are here to help you. If you are unresponsive to our questions, don't expect us to be responsive to yours.

                    F 1 Reply Last reply Reply Quote 0
                    • george1421G
                      george1421 Moderator @Florent
                      last edited by

                      @florent said in How to secure postinstall/postdownload/sysprep scripts folder (NFS) ?:

                      In the next FOG version it will be NFSv4 ?

                      Only if the developers accept my edits. I do have instructions to upgrade FOG 1.5.9.x to support nfsv4. That is how I’m working on it in development.

                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                      F 1 Reply Last reply Reply Quote 1
                      • F
                        Florent @george1421
                        last edited by

                        @george1421 Thanks, i will wait this update to test this, maybe when rollout i ask help
                        Have a good day

                        Florent
                        Bretagne, FRANCE

                        1 Reply Last reply Reply Quote 0
                        • F
                          Florent @Junkhacker
                          last edited by

                          @junkhacker interesting, even if i don’t understant all the concept

                          Florent
                          Bretagne, FRANCE

                          1 Reply Last reply Reply Quote 0
                          • 1 / 1
                          • First post
                            Last post

                          258

                          Online

                          12.0k

                          Users

                          17.3k

                          Topics

                          155.2k

                          Posts
                          Copyright © 2012-2024 FOG Project