• Register
    • Login
    • Search
    • Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search

    How to secure postinstall/postdownload/sysprep scripts folder (NFS) ?

    FOG Problems
    3
    11
    219
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Florent last edited by Florent

      Hello,
      How to secure postinstall/postdownload/sysprep scripts folder (NFS) ?
      Because, everything that is in /images/postdownloadscripts is accessible by everyone with NFS (on Windows 10 for example).
      Have you best practice to protect this ?
      Or possible to restrict access only to FOSS (the linux pxe loaded) ?

      Florent
      Bretagne, FRANCE

      Junkhacker 1 Reply Last reply Reply Quote 0
      • F
        Florent @Junkhacker last edited by

        @junkhacker interesting, even if i don’t understant all the concept

        Florent
        Bretagne, FRANCE

        1 Reply Last reply Reply Quote 0
        • F
          Florent @george1421 last edited by

          @george1421 Thanks, i will wait this update to test this, maybe when rollout i ask help
          Have a good day

          Florent
          Bretagne, FRANCE

          1 Reply Last reply Reply Quote 0
          • george1421
            george1421 Moderator @Florent last edited by

            @florent said in How to secure postinstall/postdownload/sysprep scripts folder (NFS) ?:

            In the next FOG version it will be NFSv4 ?

            Only if the developers accept my edits. I do have instructions to upgrade FOG 1.5.9.x to support nfsv4. That is how I’m working on it in development.

            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

            F 1 Reply Last reply Reply Quote 1
            • Junkhacker
              Junkhacker Developer @Florent last edited by

              @florent in my alternate setup, only the machine you use to upload images to fog would need NFS enabled. the hosts you deploy to would not.

              signature:
              Junkhacker
              We are here to help you. If you are unresponsive to our questions, don't expect us to be responsive to yours.

              F 1 Reply Last reply Reply Quote 0
              • F
                Florent @Junkhacker last edited by

                @junkhacker Limit access by IP is not sufficient for my case, Because users can access in the NFS xith their windows

                Florent
                Bretagne, FRANCE

                Junkhacker 1 Reply Last reply Reply Quote 0
                • F
                  Florent @george1421 last edited by

                  @george1421 In the next FOG version it will be NFSv4 ?

                  Florent
                  Bretagne, FRANCE

                  george1421 1 Reply Last reply Reply Quote 0
                  • Junkhacker
                    Junkhacker Developer @george1421 last edited by

                    @george1421 i have had in the past fog working without NFS completely (for downloads. uploading images to fog still required NFS, but that’s easier to lock down since you can limit access by IP or whatever for your image source machine)

                    if there’s any interest, i have ideas on how to re-implement fogtorrent (fog imaging using bit-torrent) though my time to participate in it’s developent (and skill level) are limited/

                    signature:
                    Junkhacker
                    We are here to help you. If you are unresponsive to our questions, don't expect us to be responsive to yours.

                    F 1 Reply Last reply Reply Quote 0
                    • george1421
                      george1421 Moderator @Florent last edited by

                      @florent I have been working on adding NFSv4 to FOG. NFSv4 consolidates all of the NFSv3 ports into a single communication port 2049.

                      As part of a side project of NFSv4 I’ve been testing stunnel to send encrypted traffic between FOS Linux and the FOG server. While it works, I’m not happy with the file transfer performance and CPU load it places on both the FOG server and target computer. On my home lab (small server is Dell 910 running proxmox) I get ~41MB/s transfer rate using stunnel and ~119MB/s with just NFSv4. That is quite a performance impact and probably not a good choice. I used the small proxmox server to make poor performance more visible.

                      If we step back to nfsv4 and that single port. It is possible to move that NFS port to a different port number (i.e. 32049) and then program FOS Linux to use that port number for communication with the FOG server. This method will work and give you minimal security through obscurity (doing some out of the normal to simply defeat standard communication.) This will thus hide the fog file share from users that might have NFS loaded on their computer.

                      For true NFS security we need to look at a kerberos security framework for FOG. That would keep the standard NFS performance with added security. Right now I don’t know if FOS Linux (the program that runs on the target computer) can support a kerberos infrastructure for NFS authentication.

                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                      Junkhacker F 2 Replies Last reply Reply Quote 0
                      • F
                        Florent @Junkhacker last edited by

                        @junkhacker Hello, thanks for your answer.
                        It would be nice if in the future next version we can have this kind of functionnality.
                        I thought too for example a certificate on the FOSS and only FOSS can access this folder(s), but i don’t know how i can do this

                        Florent
                        Bretagne, FRANCE

                        george1421 1 Reply Last reply Reply Quote 0
                        • Junkhacker
                          Junkhacker Developer @Florent last edited by

                          @florent securing fog has always been one of the biggest challenges. there isn’t a good way to secure postdownloadscripts while still allowing them to be accessible by FOSS. what could be done if you have anything requiring some level of security would be for the script to not actually be what you need done, but a reference to an external source for what you need. a https address for example. the files you’re serving up from that source could be secured and access restricted based on what the FOSS knows or the FOG server knows (i.e. host with this ID in the system and an active imaging task is allowed download access)

                          signature:
                          Junkhacker
                          We are here to help you. If you are unresponsive to our questions, don't expect us to be responsive to yours.

                          F 1 Reply Last reply Reply Quote 0
                          • 1 / 1
                          • First post
                            Last post

                          59
                          Online

                          10.4k
                          Users

                          16.4k
                          Topics

                          150.7k
                          Posts

                          Copyright © 2012-2023 FOG Project