jordan@zooks.ads.com (Jordan Hayes) (12/08/88)
peter honeyman <honey@citi.umich.edu> writes:
... and other oxymorons.
not necessarily. certainly things along the lines of using kerberos
for the authentication and fixing your mountd and running fsirand,
etc. go a long way toward cleaning up the nfs act on a unix box. as
to *how* to do this, or (better) to make the stuff from sun out of the
box do this, send followups to sun!sunbugs and comp.protocols.nfs ...
/jordanjoycep@tandem.com (Joyce Perrelli) (03/08/91)
I am looking for articles on NFS server security. Also articles on TCP/IP security should help me.
Any ideas?
Thankshaynes@felix.ucsc.edu (99700000) (03/09/91)
I couldn't reply to the address in the original posting. MIT uses Kerberos authentication for NFS operations. You can anonymous ftp to athena-dist.mit.edu and get the papers.
bstrand@poplar13.cray.com (Brad Strand) (03/09/91)
In article <13201@darkstar.ucsc.edu> haynes@felix.ucsc.edu (99700000) writes: > >I couldn't reply to the address in the original posting. > >MIT uses Kerberos authentication for NFS operations. Technically, this is not true. The MIT implementation of Kerberized NFS provides Kerberized authentication only for client communication with the server mountd, which modifies table entries in the remote kernel. There is nothing Kerberized in the NFS requests themselves. This, IMHO, drastically reduces the security of the implementation. Since there is nothing in the NFS request which allows the server to determine its authenticity, it's really not much more secure than regular old NFS (*). Anybody on the same host (IP_addr) as me can build a fake NFS request, and the server would be none the wiser. Be sure you understand that the Athena solution to authenticated NFS does not apply well to multi-user clients. * Yes, I understand that this is not a problem in MIT's world of single-user workstations and fileservers. And, yes, I understand that attacks to Kerberized NFS are limited to periods when clients are actually registered with remote servers. -- Brad Strand bstrand@cray.com (DOMAIN) uunet!cray!bstrand (UUCP) Cray Research, Inc. Networking and Communications Development 655F Lone Oak Drive #include <std/disclaimer.h> Eagan, MN 55121 "No gnu taxes."
kadams@europa.nswc.navy.mil (Kevin Adams) (06/12/91)
We are beginning a task to look into nfs, especially security aspects. We are scheduled to look into the benefits of Kerberized NFS and Sun's Secure NFS (secure RPCs). If anyone has any advice, experiences, knowledge of security problems in nfs, or can point us to good literature sources, the help would be appreciated. Also details on what security is built into nfs, and how kerberized and Secure RPCs work would be helpful. Thanks in advance. Kevin Adams kadams@europa.nswc.navy.mil