Unkerberized NFS

[Tim McGarry]

Sound's good

what about authorized_keys though, doesn't stop hacks with rsa, at least
with Nicos kerberos principals extension, you'll know who it was who
compromised the system (unless of course they undo the changes done to
authorizeds_keys really quick. after gaining access)

----- Original Message -----
From: "Nicolas Williams" <Nicolas.Williams at ubsw.com>
To: <mouring at etoh.eviladmin.org>
Cc: "Tim McGarry" <tim at mcgarry.ch>; "Dave Dykstra" <dwd at bell-labs.com>;
<openssh-unix-dev at mindrot.org>
Sent: Tuesday, November 06, 2001 9:16 PM
Subject: Re: Unkerberized NFS


> Can't these user-specific seed files be stored in
{/var}/tmp/ssh-seed-$user/?
>
> On Tue, Nov 06, 2001 at 01:46:35PM -0600, mouring at etoh.eviladmin.org
wrote:
> >
> > seed files on NFS.. My only concern is packet sniffing.  How may NFS
> > connetions are encryped now days?
> >
> > - Ben
> >
> > On Tue, 6 Nov 2001, Tim McGarry wrote:
> >
> > > I suppose your right, but if you edit someones .profile, you can
easily
> > > compromise the boxes they log into. If you edit authorized_keys,
access to
> > > every box in the organisation could be possible
> > >
> > > Tim McGarry
> > >
> > > ----- Original Message -----
> > > From: "Dave Dykstra" <dwd at bell-labs.com>
> > > To: "Tim McGarry" <tim at mcgarry.ch>
> > > Cc: <openssh-unix-dev at mindrot.org>
> > > Sent: Tuesday, November 06, 2001 8:30 PM
> > > Subject: Re: Unkerberized NFS
> > >
> > >
> > > > On Tue, Nov 06, 2001 at 08:14:26PM +0100, Tim McGarry wrote:
> > > > > I disagree, about NFS, obviously any smart organisation will
ensure that
> > > NFS
> > > > > is secured with kerberos BEFORE they allow RSA authentication.
> > > > > But those who dont know better shouldn't find that installing
OpenSSH
> > > > > actually reduces the system security.
> > > >
> > > > It does not reduce system security.  If you are exporting a
filesystem
> > > with
> > > > unkerberized NFS read-write, anybody can read and write any (usually
> > > non-root)
> > > > file, including many things the user executes such as .profile so
even
> > > > without .rhosts or .ssh/authorized_keys it is totally wide open.
Having
> > > > SSH worry about unkerberized NFS is like trying to put a slightly
stronger
> > > > lock on the door of a safe that has a whole wall missing.
> > > >
> > > > - Dave Dykstra
> > > >
> > >
> > >
> --
> -DISCLAIMER: an automatically appended disclaimer may follow. By posting-
> -to a public e-mail mailing list I hereby grant permission to distribute-
> -and copy this message.-
>
> Visit our website at http://www.ubswarburg.com
>
> This message contains confidential information and is intended only
> for the individual named.  If you are not the named addressee you
> should not disseminate, distribute or copy this e-mail.  Please
> notify the sender immediately by e-mail if you have received this
> e-mail by mistake and delete this e-mail from your system.
>
> E-mail transmission cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, destroyed,
> arrive late or incomplete, or contain viruses.  The sender therefore
> does not accept liability for any errors or omissions in the contents
> of this message which arise as a result of e-mail transmission.  If
> verification is required please request a hard-copy version.  This
> message is provided for informational purposes and should not be
> construed as a solicitation or offer to buy or sell any securities or
> related financial instruments.
>