Unkerberized NFS
Tim McGarry
tim at mcgarry.ch
Wed Nov 7 06:32:20 EST 2001
I suppose your right, but if you edit someones .profile, you can easily
compromise the boxes they log into. If you edit authorized_keys, access to
every box in the organisation could be possible
Tim McGarry
----- Original Message -----
From: "Dave Dykstra" <dwd at bell-labs.com>
To: "Tim McGarry" <tim at mcgarry.ch>
Cc: <openssh-unix-dev at mindrot.org>
Sent: Tuesday, November 06, 2001 8:30 PM
Subject: Re: Unkerberized NFS
> On Tue, Nov 06, 2001 at 08:14:26PM +0100, Tim McGarry wrote:
> > I disagree, about NFS, obviously any smart organisation will ensure that
NFS
> > is secured with kerberos BEFORE they allow RSA authentication.
> > But those who dont know better shouldn't find that installing OpenSSH
> > actually reduces the system security.
>
> It does not reduce system security. If you are exporting a filesystem
with
> unkerberized NFS read-write, anybody can read and write any (usually
non-root)
> file, including many things the user executes such as .profile so even
> without .rhosts or .ssh/authorized_keys it is totally wide open. Having
> SSH worry about unkerberized NFS is like trying to put a slightly stronger
> lock on the door of a safe that has a whole wall missing.
>
> - Dave Dykstra
>
More information about the openssh-unix-dev
mailing list