Unkerberized NFS

Tim McGarry tim at mcgarry.ch
Wed Nov 7 07:30:48 EST 2001


thats what the AuthorizedKeysFile does isn't it?

----- Original Message -----
From: "Nicolas Williams" <Nicolas.Williams at ubsw.com>
To: "Tim McGarry" <tim at mcgarry.ch>; <mouring at etoh.eviladmin.org>
Cc: "Dave Dykstra" <dwd at bell-labs.com>; <openssh-unix-dev at mindrot.org>
Sent: Tuesday, November 06, 2001 9:29 PM
Subject: Re: Unkerberized NFS


> I was referring merely to the packet sniffing attack. That was a
> reference to the fact that you can run kerberized NFS without encrypting
> the NFS traffic.
>
> Clearly, using authorized_keys on non-secure NFS home directories is not
> good.
>
> It might be nice, however, to have an option to place authorized_keys
> or alternate authorized_keys files in secure directories, much like
> sendmail has an option to place .forward files in places other than
> users' homedirs. But even this wouldn't help much with non-secure NFS --
> as long as you store useful or sensitive data on non-secure NFS you
> lose.
>
> Nico
>
>
> On Tue, Nov 06, 2001 at 09:20:16PM +0100, Tim McGarry wrote:
> > Sound's good
> >
> > what about authorized_keys though, doesn't stop hacks with rsa, at least
> > with Nicos kerberos principals extension, you'll know who it was who
> > compromised the system (unless of course they undo the changes done to
> > authorizeds_keys really quick. after gaining access)
> >
> > ----- Original Message -----
> > From: "Nicolas Williams" <Nicolas.Williams at ubsw.com>
> > To: <mouring at etoh.eviladmin.org>
> > Cc: "Tim McGarry" <tim at mcgarry.ch>; "Dave Dykstra" <dwd at bell-labs.com>;
> > <openssh-unix-dev at mindrot.org>
> > Sent: Tuesday, November 06, 2001 9:16 PM
> > Subject: Re: Unkerberized NFS
> >
> >
> > > Can't these user-specific seed files be stored in
> > {/var}/tmp/ssh-seed-$user/?
> > >
> > > On Tue, Nov 06, 2001 at 01:46:35PM -0600, mouring at etoh.eviladmin.org
> > wrote:
> > > >
> > > > seed files on NFS.. My only concern is packet sniffing.  How may NFS
> > > > connetions are encryped now days?
> > > >
> > > > - Ben
> > > >
> > > > On Tue, 6 Nov 2001, Tim McGarry wrote:
> > > >
> > > > > I suppose your right, but if you edit someones .profile, you can
> > easily
> > > > > compromise the boxes they log into. If you edit authorized_keys,
> > access to
> > > > > every box in the organisation could be possible
> > > > >
> > > > > Tim McGarry
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Dave Dykstra" <dwd at bell-labs.com>
> > > > > To: "Tim McGarry" <tim at mcgarry.ch>
> > > > > Cc: <openssh-unix-dev at mindrot.org>
> > > > > Sent: Tuesday, November 06, 2001 8:30 PM
> > > > > Subject: Re: Unkerberized NFS
> > > > >
> > > > >
> > > > > > On Tue, Nov 06, 2001 at 08:14:26PM +0100, Tim McGarry wrote:
> > > > > > > I disagree, about NFS, obviously any smart organisation will
> > ensure that
> > > > > NFS
> > > > > > > is secured with kerberos BEFORE they allow RSA authentication.
> > > > > > > But those who dont know better shouldn't find that installing
> > OpenSSH
> > > > > > > actually reduces the system security.
> > > > > >
> > > > > > It does not reduce system security.  If you are exporting a
> > filesystem
> > > > > with
> > > > > > unkerberized NFS read-write, anybody can read and write any
(usually
> > > > > non-root)
> > > > > > file, including many things the user executes such as .profile
so
> > even
> > > > > > without .rhosts or .ssh/authorized_keys it is totally wide open.
> > Having
> > > > > > SSH worry about unkerberized NFS is like trying to put a
slightly
> > stronger
> > > > > > lock on the door of a safe that has a whole wall missing.
> > > > > >
> > > > > > - Dave Dykstra
> > > > > >
> > > > >
> > > > >
> > > --
> > > -DISCLAIMER: an automatically appended disclaimer may follow. By
posting-
> > > -to a public e-mail mailing list I hereby grant permission to
distribute-
> > > -and copy this message.-
> > >
> > > Visit our website at http://www.ubswarburg.com
> > >
> > > This message contains confidential information and is intended only
> > > for the individual named.  If you are not the named addressee you
> > > should not disseminate, distribute or copy this e-mail.  Please
> > > notify the sender immediately by e-mail if you have received this
> > > e-mail by mistake and delete this e-mail from your system.
> > >
> > > E-mail transmission cannot be guaranteed to be secure or error-free
> > > as information could be intercepted, corrupted, lost, destroyed,
> > > arrive late or incomplete, or contain viruses.  The sender therefore
> > > does not accept liability for any errors or omissions in the contents
> > > of this message which arise as a result of e-mail transmission.  If
> > > verification is required please request a hard-copy version.  This
> > > message is provided for informational purposes and should not be
> > > construed as a solicitation or offer to buy or sell any securities or
> > > related financial instruments.
> > >
> --
> -DISCLAIMER: an automatically appended disclaimer may follow. By posting-
> -to a public e-mail mailing list I hereby grant permission to distribute-
> -and copy this message.-
>
> Visit our website at http://www.ubswarburg.com
>
> This message contains confidential information and is intended only
> for the individual named.  If you are not the named addressee you
> should not disseminate, distribute or copy this e-mail.  Please
> notify the sender immediately by e-mail if you have received this
> e-mail by mistake and delete this e-mail from your system.
>
> E-mail transmission cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, destroyed,
> arrive late or incomplete, or contain viruses.  The sender therefore
> does not accept liability for any errors or omissions in the contents
> of this message which arise as a result of e-mail transmission.  If
> verification is required please request a hard-copy version.  This
> message is provided for informational purposes and should not be
> construed as a solicitation or offer to buy or sell any securities or
> related financial instruments.
>




More information about the openssh-unix-dev mailing list