NFS over SSH tunnel

Ted_Maul · ‎05-31-2018

hi

I'm trying to get NFS working between 2 openvms servers using an SSH tunnel. The client is running 7.3-2 TCPIP v5.4 eco 7 - Host1 (client) and server is running 8.4-2L1 TCPIP 5.7 eco 5 - Host2 (server). The mount is tested and working locally on host2.

on host2 nfs setup

tcpip map "/test" dsa0:

tcpip add export "/test/smg/test"/option=typeless/host=(host1,host2)

tcpip add proxy/host=(*)/nfs/uid=65/gid=50 testacc

from host1

tcpip mount dnfs111:[smg.test]/host="host2"/path="/test/smg/test"/processor=UNIQUE/gid=50/uid=65/write

As the tcpip mount command doesnt allow a specifc port to be define I've tried with port 111 to create the tunnel using. Looking at tcpdump traces form a normal nfs it connects to port 111.

ssh -"L" 111:localhost:111 host2

which should map to the portmapper on host2... however i get timeout on the mount from host1.

tcpip mount dnfs111:[smg.test]/host="localhost"/path="/test/smg/test"/processor=UNIQUE/gid=50/uid=65/write

%TCPIP$DNFSMOUNT-E-MOUNTFAIL, error mounting _DNFS111:[SMG.TEST]

-SYSTEM-F-TIMEOUT, device timeout

I can create tunnels to telnet and web services on host2 on the same port using ssh -"L" 111:localhost:80 for example and tested using telnet/port=111 localhost.

I've also created a local proxy on host2

tcpip add proxy/host=(host2)/nfs/uid=65/gid=50 testacc

a tcpdump shows that the mount gets no response from the localhost on port 111 and is followed by an ICMP destination unreachable (port unreachable)

I've had a look at 8.4-2l1 TCPIP 5.7 eco 5 which in help has a tcpip mount/port qualifier but when you try and use it i get the following no matter where i place the qualifier:

CLI-W-IVQUAL, unrecognized qualifier - check validity, spelling, and placement
\PORT\

I'm wondering if the qualifer doesnt actually exist....

I've also tried a tunnel on 2049 as well with the same timeout response.

Has anyone had any joy with NFS over SSH tunnel with OpenVMS?

thanks

Ted

Steven Schweda · ‎05-31-2018

> I'm trying to get NFS working between 2 openvms servers using an SSH
> tunnel. [...]

   I don't do enough with either NFS or SSH to know anything, but...

> [...] port 111 [...] 2049 [...]

   I'd expect both of those to be needed, but my dim understanding of
the portmapper was that it was used to negotiate other ports, too.

      tcpip show portmapper

   A quick Web search ("nfs ports") found a guide for GNU/Linux which
includes a section (6.5) on "Tunneling NFS through SSH", which talks
about pinning particular services to particular ports, which may or may
not be possible on VMS+TCPIP:

      http://tldp.org/HOWTO/NFS-HOWTO/security.html

   Knowing nothing, I'd be looking for something fancier than SSH
tunnels for this, like, perhaps, a VPN or IPsec, where dynamically
negotiated ports might cause less trouble.

Ted_Maul · ‎06-01-2018

thanks for the reply.

i found this http://www2.cs.siu.edu/~cs491-2/projects/tzigler-snfs.pdf which is for unix but explains the principle. with some unix you can specify the port that mount uses. thats why i was hoping that the tcpip mount/port would work so i could use a different local port instead of 111 to prevent any issues with using that port and to confirm which port it is actually using.....the help for it says this:

MOUNT

/PORT

/PORT=n

Optional. Default: 0.

The port number to connect to the NFS server on. If the default
value of 0 is used, then query the remote host's portmapper for the
port number. If the remote hosts' portmapper does not respond with
a valid port number, then port number 2049 is used.

but it doesnt look like its actually implemented..... it doesnt help me going from 7.3-2 to 8.42l1 but it will prove it works and why it doesnt work from 7.3-2.... it suggests that a tunnel straight to 2049 rather than 111 should work but it doesnt......
looking at the tcpdump when a normal mount is tried ports 111, 10 and 2049 are the destination ports used in that sequence which is what is in portmapper, but mapping those ports doesnt work.

i've tried with wildcarding the proxy and export and mounting /host=localhost but still no response from the nfs service..

Ted_Maul · ‎06-07-2018

i found this http://www2.cs.siu.edu/~cs491-2/projects/tzigler-snfs.pdf which is for unix but explains the principle. with some unix you can specify the port that mount uses and thats why i was hoping that the v8.4-2l1 tcpip mount/port would work so i could use a different local port instead of 111 to prevent any issues with using that port and to confirm which port it is actually using.....the help for it says this:

MOUNT

/PORT

/PORT=n

Optional. Default: 0.

The port number to connect to the NFS server on. If the default
value of 0 is used, then query the remote host's portmapper for the
port number. If the remote hosts' portmapper does not respond with
a valid port number, then port number 2049 is used.

but it doesnt look like its actually implemented..... it doesnt help me going from 7.3-2 to 8.42l1 but it will prove it works and why it doesnt work from 7.3-2.... it suggests that a tunnel straight to 2049 rather than 111 should work but it doesnt unless i'm doing something wrong......

looking at the tcpdump when a normal mount is tried ports 111, 10 and 2049 are the destination ports used which is what is also in portmapper on the remote server...

NFS over SSH tunnel

NFS over SSH tunnel

Re: NFS over SSH tunnel

Re: NFS over SSH tunnel

Re: NFS over SSH tunnel

Hewlett Packard Enterprise International