Unkerberized NFS

Nicolas Williams Nicolas.Williams at ubsw.com
Wed Nov 7 08:01:03 EST 2001


Hey, I'm not asking for this. Dave Dykstra is. :)

Personally, I'd like to have a good /dev/random solution. That's all.

Nico


On Tue, Nov 06, 2001 at 02:45:25PM -0600, mouring at etoh.eviladmin.org wrote:
> 
> Great, =)  So you going to write the code to handle that mess of
> race conditions?  I won't touch /tmp in any program unless I am
> required.  That includes all the CGI code I write.
> 
> Remember, we just X cookies from /tmp due to race conditions and security
> issues.
> 
> - Ben
> 
> 
> On Tue, 6 Nov 2001, Nicolas Williams wrote:
> 
> > Can't these user-specific seed files be stored in {/var}/tmp/ssh-seed-$user/?
> >
> > On Tue, Nov 06, 2001 at 01:46:35PM -0600, mouring at etoh.eviladmin.org wrote:
> > >
> > > seed files on NFS.. My only concern is packet sniffing.  How may NFS
> > > connetions are encryped now days?
> > >
> > > - Ben
> > >
> > > On Tue, 6 Nov 2001, Tim McGarry wrote:
> > >
> > > > I suppose your right, but if you edit someones .profile, you can easily
> > > > compromise the boxes they log into. If you edit authorized_keys, access to
> > > > every box in the organisation could be possible
> > > >
> > > > Tim McGarry
> > > >
> > > > ----- Original Message -----
> > > > From: "Dave Dykstra" <dwd at bell-labs.com>
> > > > To: "Tim McGarry" <tim at mcgarry.ch>
> > > > Cc: <openssh-unix-dev at mindrot.org>
> > > > Sent: Tuesday, November 06, 2001 8:30 PM
> > > > Subject: Re: Unkerberized NFS
> > > >
> > > >
> > > > > On Tue, Nov 06, 2001 at 08:14:26PM +0100, Tim McGarry wrote:
> > > > > > I disagree, about NFS, obviously any smart organisation will ensure that
> > > > NFS
> > > > > > is secured with kerberos BEFORE they allow RSA authentication.
> > > > > > But those who dont know better shouldn't find that installing OpenSSH
> > > > > > actually reduces the system security.
> > > > >
> > > > > It does not reduce system security.  If you are exporting a filesystem
> > > > with
> > > > > unkerberized NFS read-write, anybody can read and write any (usually
> > > > non-root)
> > > > > file, including many things the user executes such as .profile so even
> > > > > without .rhosts or .ssh/authorized_keys it is totally wide open.  Having
> > > > > SSH worry about unkerberized NFS is like trying to put a slightly stronger
> > > > > lock on the door of a safe that has a whole wall missing.
> > > > >
> > > > > - Dave Dykstra
> > > > >
> > > >
> > > >
> > --
> > -DISCLAIMER: an automatically appended disclaimer may follow. By posting-
> > -to a public e-mail mailing list I hereby grant permission to distribute-
> > -and copy this message.-
> >
> > Visit our website at http://www.ubswarburg.com
> >
> > This message contains confidential information and is intended only
> > for the individual named.  If you are not the named addressee you
> > should not disseminate, distribute or copy this e-mail.  Please
> > notify the sender immediately by e-mail if you have received this
> > e-mail by mistake and delete this e-mail from your system.
> >
> > E-mail transmission cannot be guaranteed to be secure or error-free
> > as information could be intercepted, corrupted, lost, destroyed,
> > arrive late or incomplete, or contain viruses.  The sender therefore
> > does not accept liability for any errors or omissions in the contents
> > of this message which arise as a result of e-mail transmission.  If
> > verification is required please request a hard-copy version.  This
> > message is provided for informational purposes and should not be
> > construed as a solicitation or offer to buy or sell any securities or
> > related financial instruments.
> >
> >
> 
--
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.




More information about the openssh-unix-dev mailing list