Unkerberized NFS

Tim McGarry tim at mcgarry.ch
Wed Nov 7 06:32:20 EST 2001


I suppose your right, but if you edit someones .profile, you can easily
compromise the boxes they log into. If you edit authorized_keys, access to
every box in the organisation could be possible

Tim McGarry

----- Original Message -----
From: "Dave Dykstra" <dwd at bell-labs.com>
To: "Tim McGarry" <tim at mcgarry.ch>
Cc: <openssh-unix-dev at mindrot.org>
Sent: Tuesday, November 06, 2001 8:30 PM
Subject: Re: Unkerberized NFS


> On Tue, Nov 06, 2001 at 08:14:26PM +0100, Tim McGarry wrote:
> > I disagree, about NFS, obviously any smart organisation will ensure that
NFS
> > is secured with kerberos BEFORE they allow RSA authentication.
> > But those who dont know better shouldn't find that installing OpenSSH
> > actually reduces the system security.
>
> It does not reduce system security.  If you are exporting a filesystem
with
> unkerberized NFS read-write, anybody can read and write any (usually
non-root)
> file, including many things the user executes such as .profile so even
> without .rhosts or .ssh/authorized_keys it is totally wide open.  Having
> SSH worry about unkerberized NFS is like trying to put a slightly stronger
> lock on the door of a safe that has a whole wall missing.
>
> - Dave Dykstra
>




More information about the openssh-unix-dev mailing list