How to secure postinstall/postdownload/sysprep scripts folder (NFS) ?

Florent

Hello,
How to secure postinstall/postdownload/sysprep scripts folder (NFS) ?
Because, everything that is in /images/postdownloadscripts is accessible by everyone with NFS (on Windows 10 for example).
Have you best practice to protect this ?
Or possible to restrict access only to FOSS (the linux pxe loaded) ?

Junkhacker

@florent securing fog has always been one of the biggest challenges. there isn’t a good way to secure postdownloadscripts while still allowing them to be accessible by FOSS. what could be done if you have anything requiring some level of security would be for the script to not actually be what you need done, but a reference to an external source for what you need. a https address for example. the files you’re serving up from that source could be secured and access restricted based on what the FOSS knows or the FOG server knows (i.e. host with this ID in the system and an active imaging task is allowed download access)

Florent

@junkhacker Hello, thanks for your answer.
It would be nice if in the future next version we can have this kind of functionnality.
I thought too for example a certificate on the FOSS and only FOSS can access this folder(s), but i don’t know how i can do this

george1421

@florent I have been working on adding NFSv4 to FOG. NFSv4 consolidates all of the NFSv3 ports into a single communication port 2049.

As part of a side project of NFSv4 I’ve been testing stunnel to send encrypted traffic between FOS Linux and the FOG server. While it works, I’m not happy with the file transfer performance and CPU load it places on both the FOG server and target computer. On my home lab (small server is Dell 910 running proxmox) I get ~41MB/s transfer rate using stunnel and ~119MB/s with just NFSv4. That is quite a performance impact and probably not a good choice. I used the small proxmox server to make poor performance more visible.

If we step back to nfsv4 and that single port. It is possible to move that NFS port to a different port number (i.e. 32049) and then program FOS Linux to use that port number for communication with the FOG server. This method will work and give you minimal security through obscurity (doing some out of the normal to simply defeat standard communication.) This will thus hide the fog file share from users that might have NFS loaded on their computer.

For true NFS security we need to look at a kerberos security framework for FOG. That would keep the standard NFS performance with added security. Right now I don’t know if FOS Linux (the program that runs on the target computer) can support a kerberos infrastructure for NFS authentication.

Junkhacker

@george1421 i have had in the past fog working without NFS completely (for downloads. uploading images to fog still required NFS, but that’s easier to lock down since you can limit access by IP or whatever for your image source machine)

if there’s any interest, i have ideas on how to re-implement fogtorrent (fog imaging using bit-torrent) though my time to participate in it’s developent (and skill level) are limited/

Florent

@george1421 In the next FOG version it will be NFSv4 ?

Florent

@junkhacker Limit access by IP is not sufficient for my case, Because users can access in the NFS xith their windows

Junkhacker

@florent in my alternate setup, only the machine you use to upload images to fog would need NFS enabled. the hosts you deploy to would not.

george1421

@florent said in How to secure postinstall/postdownload/sysprep scripts folder (NFS) ?:

In the next FOG version it will be NFSv4 ?

Only if the developers accept my edits. I do have instructions to upgrade FOG 1.5.9.x to support nfsv4. That is how I’m working on it in development.

Florent

@george1421 Thanks, i will wait this update to test this, maybe when rollout i ask help
Have a good day

Florent

@junkhacker interesting, even if i don’t understant all the concept