Unkerberized NFS

mouring at etoh.eviladmin.org mouring at etoh.eviladmin.org
Wed Nov 7 06:46:35 EST 2001


seed files on NFS.. My only concern is packet sniffing.  How may NFS
connetions are encryped now days?

- Ben

On Tue, 6 Nov 2001, Tim McGarry wrote:

> I suppose your right, but if you edit someones .profile, you can easily
> compromise the boxes they log into. If you edit authorized_keys, access to
> every box in the organisation could be possible
>
> Tim McGarry
>
> ----- Original Message -----
> From: "Dave Dykstra" <dwd at bell-labs.com>
> To: "Tim McGarry" <tim at mcgarry.ch>
> Cc: <openssh-unix-dev at mindrot.org>
> Sent: Tuesday, November 06, 2001 8:30 PM
> Subject: Re: Unkerberized NFS
>
>
> > On Tue, Nov 06, 2001 at 08:14:26PM +0100, Tim McGarry wrote:
> > > I disagree, about NFS, obviously any smart organisation will ensure that
> NFS
> > > is secured with kerberos BEFORE they allow RSA authentication.
> > > But those who dont know better shouldn't find that installing OpenSSH
> > > actually reduces the system security.
> >
> > It does not reduce system security.  If you are exporting a filesystem
> with
> > unkerberized NFS read-write, anybody can read and write any (usually
> non-root)
> > file, including many things the user executes such as .profile so even
> > without .rhosts or .ssh/authorized_keys it is totally wide open.  Having
> > SSH worry about unkerberized NFS is like trying to put a slightly stronger
> > lock on the door of a safe that has a whole wall missing.
> >
> > - Dave Dykstra
> >
>
>




More information about the openssh-unix-dev mailing list