Unkerberized NFS

Tim McGarry tim at mcgarry.ch
Wed Nov 7 06:14:26 EST 2001 

I disagree, about NFS, obviously any smart organisation will ensure that NFS
is secured with kerberos BEFORE they allow RSA authentication.
But those who dont know better shouldn't find that installing OpenSSH
actually reduces the system security. This issue of NFS security comes up
quite often and the response is usually "secure your NFS", isn't it time
that sshd_config an flag something like
ISYOURNFSSECURE=yes|no
If the answer is no, it's very easy to modify auth2.c etc with a few calls
to fstatvfs to avoid trusting files from an unsafe location.

yes I know AuthorizedKeysFile can avoid this problem, but it wasn't
available in the portable version till  299, and even after that I'm sure
it's not as widely used as it should be.

Tim McGarry

----- Original Message -----
From: "Dave Dykstra" <dwd at bell-labs.com>
To: <Lutz.Jaenicke at aet.TU-Cottbus.DE>
Cc: <openssh-unix-dev at mindrot.org>; <mouring at etoh.eviladmin.org>; "Ed
Phillips" <ed at udel.edu>; "Dan Astoorian" <djast at cs.toronto.edu>
Sent: Tuesday, November 06, 2001 7:08 PM
Subject: Re: Entropy and DSA key


> On Tue, Nov 06, 2001 at 06:39:35PM +0100, Lutz Jaenicke wrote:
> > On Tue, Nov 06, 2001 at 10:39:37AM -0600, Dave Dykstra wrote:
> > > On Tue, Nov 06, 2001 at 05:23:36PM +0100, Lutz Jaenicke wrote:
> ...
> > > > Using a seed-save file helps, but somebody could steal it, so that
calling
> > > > external gatherers at the time the cryptographic routines are
started up
> > > > is an important issue.
> > >
> > > I don't buy that argument.  If somebody has the ability to steal your
> > > seed-save file, that means your system has already been compromised so
I
> > > don't see the point of trying to secure it further, certainly not at
such a
> > > high cost of time spent on every ssh client startup.  I think the only
> > > thing to worry about is an external attacker.
> >
> > With home directories on NFS protecting the seed file is difficult and
> > accessing the seed file does not necessarily require compromising the
> > system. The private keys are protected by a passphrase, so while I still
> > would not like people stealing the key files, there exists an additional
> > line of defense.
>
>
> I have never seen a NFS cluster where home directories aren't exported
> read-write.  Perhaps in obscure cases they might also be exported
read-only
> to some more servers, but that's hardly relevant.  If they are exported
> read-write, and assuming they are using a traditional non-kerberized NFS,
> then anybody who can get physical access to one of the workstations or
> anybody can spoof one in the DNS (which is trivial) can easily get write
> access to all users' home directories.  The attacker can do absolutely
> anything including modifying the user's .profile, .ssh/authorized_keys or
> .rhosts, and from there log on and do anything they want.  In that case,
> who cares about somebody having read access to a seed file?  It makes no
> difference to overall security.  Right?  There's no point worrying about
> people who use non-kerberized NFS, and kerberized NFS doesn't have a
> problem.
>
> - Dave Dykstra
>

More information about the openssh-unix-dev mailing list