Unkerberized NFS

Dave Dykstra dwd at bell-labs.com
Wed Nov 7 06:30:17 EST 2001


On Tue, Nov 06, 2001 at 08:14:26PM +0100, Tim McGarry wrote:
> I disagree, about NFS, obviously any smart organisation will ensure that NFS
> is secured with kerberos BEFORE they allow RSA authentication.
> But those who dont know better shouldn't find that installing OpenSSH
> actually reduces the system security.

It does not reduce system security.  If you are exporting a filesystem with
unkerberized NFS read-write, anybody can read and write any (usually non-root)
file, including many things the user executes such as .profile so even
without .rhosts or .ssh/authorized_keys it is totally wide open.  Having
SSH worry about unkerberized NFS is like trying to put a slightly stronger
lock on the door of a safe that has a whole wall missing.

- Dave Dykstra



More information about the openssh-unix-dev mailing list