• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

How to secure postinstall/postdownload/sysprep scripts folder (NFS) ?

Scheduled Pinned Locked Moved
FOG Problems
3
11
1.0k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    Junkhacker Developer @Florent
    last edited by Aug 27, 2021, 6:59 PM

    @florent securing fog has always been one of the biggest challenges. there isn’t a good way to secure postdownloadscripts while still allowing them to be accessible by FOSS. what could be done if you have anything requiring some level of security would be for the script to not actually be what you need done, but a reference to an external source for what you need. a https address for example. the files you’re serving up from that source could be secured and access restricted based on what the FOSS knows or the FOG server knows (i.e. host with this ID in the system and an active imaging task is allowed download access)

    signature:
    Junkhacker
    We are here to help you. If you are unresponsive to our questions, don't expect us to be responsive to yours.

    F 1 Reply Last reply Aug 30, 2021, 7:28 AM Reply Quote 0
    • F
      Florent @Junkhacker
      last edited by Aug 30, 2021, 7:28 AM

      @junkhacker Hello, thanks for your answer.
      It would be nice if in the future next version we can have this kind of functionnality.
      I thought too for example a certificate on the FOSS and only FOSS can access this folder(s), but i don’t know how i can do this

      Florent
      Bretagne, FRANCE

      G 1 Reply Last reply Aug 30, 2021, 12:44 PM Reply Quote 0
      • G
        george1421 Moderator @Florent
        last edited by Aug 30, 2021, 12:44 PM

        @florent I have been working on adding NFSv4 to FOG. NFSv4 consolidates all of the NFSv3 ports into a single communication port 2049.

        As part of a side project of NFSv4 I’ve been testing stunnel to send encrypted traffic between FOS Linux and the FOG server. While it works, I’m not happy with the file transfer performance and CPU load it places on both the FOG server and target computer. On my home lab (small server is Dell 910 running proxmox) I get ~41MB/s transfer rate using stunnel and ~119MB/s with just NFSv4. That is quite a performance impact and probably not a good choice. I used the small proxmox server to make poor performance more visible.

        If we step back to nfsv4 and that single port. It is possible to move that NFS port to a different port number (i.e. 32049) and then program FOS Linux to use that port number for communication with the FOG server. This method will work and give you minimal security through obscurity (doing some out of the normal to simply defeat standard communication.) This will thus hide the fog file share from users that might have NFS loaded on their computer.

        For true NFS security we need to look at a kerberos security framework for FOG. That would keep the standard NFS performance with added security. Right now I don’t know if FOS Linux (the program that runs on the target computer) can support a kerberos infrastructure for NFS authentication.

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

        J F 2 Replies Last reply Aug 30, 2021, 2:57 PM Reply Quote 0
        • J
          Junkhacker Developer @george1421
          last edited by Aug 30, 2021, 2:57 PM

          @george1421 i have had in the past fog working without NFS completely (for downloads. uploading images to fog still required NFS, but that’s easier to lock down since you can limit access by IP or whatever for your image source machine)

          if there’s any interest, i have ideas on how to re-implement fogtorrent (fog imaging using bit-torrent) though my time to participate in it’s developent (and skill level) are limited/

          signature:
          Junkhacker
          We are here to help you. If you are unresponsive to our questions, don't expect us to be responsive to yours.

          F 1 Reply Last reply Aug 30, 2021, 4:54 PM Reply Quote 0
          • F
            Florent @george1421
            last edited by Aug 30, 2021, 4:53 PM

            @george1421 In the next FOG version it will be NFSv4 ?

            Florent
            Bretagne, FRANCE

            G 1 Reply Last reply Aug 30, 2021, 7:50 PM Reply Quote 0
            • F
              Florent @Junkhacker
              last edited by Aug 30, 2021, 4:54 PM

              @junkhacker Limit access by IP is not sufficient for my case, Because users can access in the NFS xith their windows

              Florent
              Bretagne, FRANCE

              J 1 Reply Last reply Aug 30, 2021, 6:41 PM Reply Quote 0
              • J
                Junkhacker Developer @Florent
                last edited by Aug 30, 2021, 6:41 PM

                @florent in my alternate setup, only the machine you use to upload images to fog would need NFS enabled. the hosts you deploy to would not.

                signature:
                Junkhacker
                We are here to help you. If you are unresponsive to our questions, don't expect us to be responsive to yours.

                F 1 Reply Last reply Aug 31, 2021, 9:37 AM Reply Quote 0
                • G
                  george1421 Moderator @Florent
                  last edited by Aug 30, 2021, 7:50 PM

                  @florent said in How to secure postinstall/postdownload/sysprep scripts folder (NFS) ?:

                  In the next FOG version it will be NFSv4 ?

                  Only if the developers accept my edits. I do have instructions to upgrade FOG 1.5.9.x to support nfsv4. That is how I’m working on it in development.

                  Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                  F 1 Reply Last reply Aug 31, 2021, 9:35 AM Reply Quote 1
                  • F
                    Florent @george1421
                    last edited by Aug 31, 2021, 9:35 AM

                    @george1421 Thanks, i will wait this update to test this, maybe when rollout i ask help
                    Have a good day

                    Florent
                    Bretagne, FRANCE

                    1 Reply Last reply Reply Quote 0
                    • F
                      Florent @Junkhacker
                      last edited by Aug 31, 2021, 9:37 AM

                      @junkhacker interesting, even if i don’t understant all the concept

                      Florent
                      Bretagne, FRANCE

                      1 Reply Last reply Reply Quote 0
                      • 1 / 1
                      1 / 1
                      • First post
                        11/11
                        Last post

                      256

                      Online

                      12.0k

                      Users

                      17.3k

                      Topics

                      155.2k

                      Posts
                      Copyright © 2012-2024 FOG Project