T-110.5102 Laboratory Works in Networking and Security (5-10 cr)
Lab B4: Network filesystems
Description of Exercise
In this exercise you will setup various network filesystems. You have to compare network filesystems shortly using internet (or book) sources and your own experiments.
Please use NFSv3 for this exercise. Doing the demo with NFSv4 is also acceptable, as long as you can answer the questions.
Material
1. Preparation
Add static addresses to both Lab 1's and Lab 2's eth1 interfaces. Add aliases (lab1 and lab2) for the addresses to /etc/hosts (see "man hosts").
Create two new users (e.g. "testuser1" and "testuser2") with adduser to both the computers. Ensure that users have same UID on both computers (eg. testuser1 UIDis 1001 on lab1 and lab2, testuser2 is 1002). The easiest way is to create both users on same order to both computers.
2. Configuring and testing nfs
NFS is an acronym for "network filesystem". NFS is implemented for nearly all unix variations and even for windows.
Export /home via /etc/exports. Restart the NFS server daemon. Mount lab1:/home to lab2:/mnt. You can change user with su, e.g. "su testuser1". Test that NFS works by writing a file in lab1:/home/testuser1/test.txt and open the same file at lab2:/mnt/testuser1/test.txt.
| 2.1 | Demonstrate a working configuration. | 1 p |
| 2.2 | What are the problems with NFSv3 'default' installations and firewalls? | 1 p |
| 2.3 | What are the security problems with NFSv3 so-called authentication? Are there any alternatives for securing NFSv3? | 2 p |
| 2.4 | Is it possible to encrypt all NFS traffic? How? | 1 p |
| 2.5 | What happens if testuser1 UID is 1001 in lab1, 1002 in lab2 and testuser2 is 1002 in lab1, 1001 in lab2? Verify from the documentation and demonstrate. |
1 p |
| 2.6 | How does NFSv4 differ from NFSv3 regarding the use of UIDs? | 1 p |
3. Configuring and testing samba
Samba is unix/linux implementation for normal Windows network shares(netbios and CIFS (common internet filesystem)). You can configure samba via /etc/samba/smb.conf. You can access samba with command smbclient or by mounting via mount.
Start by unmounting with umount(8) the NFS directory in lab2 from the previous assignment. If unmounting complains "resource busy", you have a shell with your current directory in the /mnt directory and you need to switch to another directory.
Share /home with read and write permissions (/home shares are already at smb.conf but needs little bit of tweaking) and reload samba. Try to mount //lab1/home/testuser1 to lab2:/mnt with username testuser1 and testuser1's password. You have to run smbpasswd with correct parameters on lab1 first. Check that necessary services and ports are open.
| 3.1 | Demonstrate a working configuration. | 2 p |
| 3.2 | Only root can use mount. What is the problem with home folders? Can this be overridden? | 1 p |
4. Configuring and testing sshfs
sshfs is filesystem for FUSE (filesystem in userspace).
Start by unmounting the samba share on lab2.
Next mount lab1:/home/testuser1 to lab2:/mnt/testuser1 using sshfs. Demonstrate this to the assistant.
| 4.1 | Demonstrate. | 1 p |
| 4.2 | When is sshfs a good solution? | 1 p |
| 4.3 | What are the advantages of FUSE? | 1 p |
| 4.4 | Why doesn't everyone use encrypted channels for all network filesystems? | 1 p |
5. Configuring and testing WebDAV
WebDAV (Web-based Distributed Authoring and Versioning) is a set of extensions to the HTTP protocol which allows users to collaboratively edit and manage files on remote web servers [1].
In this exercise we'll use the built-in WebDAV module of Apache2 server platform. Check that apache2 is installed and enable the dav_fs module. Restart apache2.
Create a directory for WebDAV and it's files (etc. /var/www/WebDAV/files). Change the owner of the directories created to www-data (Apache's user ID) and the group to your user ID. Change the permissions if needed.
Create an alias to the virtual host file (/etc/apache2/sites-available/default) so that your server can be reached through http://localhost/webdav . Enable the virtual host by creating a symbolic link between /etc/apache2/sites-available/default and /etc/apache2/sites-enabled/ .
Restart apache2 and check that you can reach the server with for example elinks(1).
Set up Authorization
Enable the auth_digest module. Create a password file for a testuser with htdigest(1). Edit permissions of the file so that only www-data and root can access it. Use the following template to add the location to the virtual host file:
<Location /webdav> DAV On AuthType Digest AuthName "your_auth_name" AuthUserFile path_to_your_password_file Require valid-user </Location>
Restart Apache2 and test the server from another machine using cadaver(1). You should reach the server http://lab1/webdav .
| 5.1 | Demonstrate a working setup. (View for example a web page on one machine and edit it from another using cadaver). | 3 p |
| 5.2 | Can you mount a WebDAV resource into the local filesystem? How? Demonstrate. | 1 p |
| 5.3 | Does your implementation support versioning? If not, what should be added? | 1 p |
6. Final question
| 6.1 | Describe briefly a few use cases for samba, nfs, sshfs and WebDAV. Where, why, weaknesses? | 3 p |
7. Finishing your work
When finishing your work, please remember to backup your related files from the lab computers to a safe place (e.g. your home directory in Niksula or the Computer Center). The course does not provide any back up service for the virtual machines. If you report problems regarding your machines to the course personnel, note that they may get completely reset with all running configurations cleared. (updated/clarified 11/6/2012)