Unkerberized NFS

Wed Nov 7 07:45:25 EST 2001

Great, =)  So you going to write the code to handle that mess of
race conditions?  I won't touch /tmp in any program unless I am
required.  That includes all the CGI code I write.

Remember, we just X cookies from /tmp due to race conditions and security
issues.

- Ben

On Tue, 6 Nov 2001, Nicolas Williams wrote:

> Can't these user-specific seed files be stored in {/var}/tmp/ssh-seed-$user/?
>
> On Tue, Nov 06, 2001 at 01:46:35PM -0600, mouring at etoh.eviladmin.org wrote:
> >
> > seed files on NFS.. My only concern is packet sniffing.  How may NFS
> > connetions are encryped now days?
> >
> > - Ben
> >
> > On Tue, 6 Nov 2001, Tim McGarry wrote:
> >
> > > I suppose your right, but if you edit someones .profile, you can easily
> > > compromise the boxes they log into. If you edit authorized_keys, access to
> > > every box in the organisation could be possible
> > >
> > > Tim McGarry
> > >
> > > ----- Original Message -----
> > > From: "Dave Dykstra" <dwd at bell-labs.com>
> > > To: "Tim McGarry" <tim at mcgarry.ch>
> > > Cc: <openssh-unix-dev at mindrot.org>
> > > Sent: Tuesday, November 06, 2001 8:30 PM
> > > Subject: Re: Unkerberized NFS
> > >
> > >
> > > > On Tue, Nov 06, 2001 at 08:14:26PM +0100, Tim McGarry wrote:
> > > > > I disagree, about NFS, obviously any smart organisation will ensure that
> > > NFS
> > > > > is secured with kerberos BEFORE they allow RSA authentication.
> > > > > But those who dont know better shouldn't find that installing OpenSSH
> > > > > actually reduces the system security.
> > > >
> > > > It does not reduce system security.  If you are exporting a filesystem
> > > with
> > > > unkerberized NFS read-write, anybody can read and write any (usually
> > > non-root)
> > > > file, including many things the user executes such as .profile so even
> > > > without .rhosts or .ssh/authorized_keys it is totally wide open.  Having
> > > > SSH worry about unkerberized NFS is like trying to put a slightly stronger
> > > > lock on the door of a safe that has a whole wall missing.
> > > >
> > > > - Dave Dykstra
> > > >
> > >
> > >
> --
> -DISCLAIMER: an automatically appended disclaimer may follow. By posting-
> -to a public e-mail mailing list I hereby grant permission to distribute-
> -and copy this message.-
>
> Visit our website at http://www.ubswarburg.com
>
> This message contains confidential information and is intended only
> for the individual named.  If you are not the named addressee you
> should not disseminate, distribute or copy this e-mail.  Please
> notify the sender immediately by e-mail if you have received this
> e-mail by mistake and delete this e-mail from your system.
>
> E-mail transmission cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, destroyed,
> arrive late or incomplete, or contain viruses.  The sender therefore
> does not accept liability for any errors or omissions in the contents
> of this message which arise as a result of e-mail transmission.  If
> verification is required please request a hard-copy version.  This
> message is provided for informational purposes and should not be
> construed as a solicitation or offer to buy or sell any securities or
> related financial instruments.
>
>