Subject: Re: encrypted swap?
To: Steven M. Bellovin <smb@research.att.com>
From: Olaf Seibert <rhialto@polderland.nl>
List: tech-security
Date: 06/08/2001 17:35:05
On Mon 04 Jun 2001 at 20:48:33 -0400, Steven M. Bellovin wrote:
> If you really want encrypted swap, and you want it with little effort, 
> use CFS and swap to a file.  I ported CFS to NetBSD; you can find it
> at your choice of
> 
>         http://www.crypto.com/software/cfs-1.4.1.tar
>         http://www.crypto.com/software/cfs-1.4.1.tar.gz
>         http://www.crypto.com/software/cfs-1.4.1.tgz
> 
> Follow the instructions in README.netbsd and you should be on the air.

Unfortunately cfs as it is cannot coexist with an NFS server on the same
host. I've been trying to rectify that, by adding a port number option
to mount_nfs, but somehow this failed so far.

My approach was to override the number obtained from the portmapper
(better would be, not to ask the port mapper in the first place but this
is just the first step). Somehow there was a strange byte-order problem,
in fact port numbers cropped up in netstat that should not have been
possible. So I am probably doing something silly here.

A patch included below (probably with messed up whitespace).

Index: mount_nfs.c
===================================================================
RCS file: /cvsroot/basesrc/sbin/mount_nfs/mount_nfs.c,v
retrieving revision 1.30
diff -u -r1.30 mount_nfs.c
--- mount_nfs.c 2001/01/11 01:33:35     1.30
+++ mount_nfs.c 2001/06/08 15:29:45
@@ -169,6 +169,7 @@
 int force2 = 0;
 int force3 = 0;
 int mnttcp_ok = 1;
+int nfsport = -1;
 
 #ifdef NFSKERB
 static char inst[INST_SZ];
@@ -237,7 +238,7 @@
        nfsargs = nfsdefargs;
        nfsargsp = &nfsargs;
        while ((c = getopt(argc, argv,
-           "23a:bcCdD:g:I:iKL:lm:o:PpqR:r:sTt:w:x:UX")) != -1)
+           "23a:bcCdD:g:I:iKL:lm:n:o:PpqR:r:sTt:w:x:UX")) != -1)
                switch (c) {
                case '3':
                        if (force2)
@@ -317,6 +318,12 @@
                        realm[REALM_SZ - 1] = '\0';
                        break;
 #endif
+               case 'n':
+                       num = strtol(optarg, &p, 10);
+                       if (*p || num < 0)
+                               errx(1, "illegal -n value -- %s", optarg);
+                       nfsport = num;
+                       break;
                case 'o':
                        getmntopts(optarg, mopts, &mntflags, &altflags);
                        if(altflags & ALTF_BG)
@@ -793,6 +800,14 @@
        {
                nfsargsp->addr = (struct sockaddr *) nfs_nb.buf;
                nfsargsp->addrlen = nfs_nb.len;
+               if (nfsport > 0) {
+                       struct sockaddr_in *sin = (struct sockaddr_in *)
+                           nfsargsp->addr;
+                       printf("was using nfs port %04x\n", ntohs(sin->sin_port));
+                       sin->sin_port = (nfsport);
+                       sin->sin_port = htons(nfsport);
+                       printf("now using nfs port %04x\n", nfsport);
+               }
        }
        nfsargsp->fh = nfhret.nfh;
        nfsargsp->fhsize = nfhret.fhsize;


-Olaf.
-- 
___ Olaf 'Rhialto' Seibert - rhialto@polder --Soep van de dag, wat zal dat zijn
\X/ land.nl     --wat kan dat wezen, beter maar het ergste vrezen -Boy Bensdorp