I haven't had much of a chance to really see the *latest* sun
has to offer with NFS. I do know that there was a very long list
of ways computer vandals could mess with older revisions of NFS.
I would not recommend deploying any version of NFS without
hiding all the guts behind a good filtering firewall, and
and then only with a small and well trusted group of users
behind the firewall. If you were to decide to foregoe that
protection, then you should certainly investigate any recent
security improvements made to NFS, and you should make very
sure that you *never* *ever* enable any compatible hacks
with older versions of the NFS protocol that might expose you
to those same attacks.
When Paul Allen says "ypcat will not show encrypted passwords
unless you're root" is that check made in the client or server
piece of ypcat? (Ie, can a vandal bypass it by installing his
own pirate version of ypcat?)
One of the key goodies of AFS (and DFS) is callbacks - to ensure cache
consistency. Does the cache filesystem of solaris contain a similar
mechanism?
Do Solaris style acl's work in NFS?
Does NIS provide anything like the functionality of kerberos tickets
for distributed services like zephyr?
Does solaris/Sun/Nis offer any sort of modern automatic replicated
database for NIS, or do you still have to run all those ypxfer things?
When the database appears on the wire, is it encrypted?
How much of the C2 security stuff is available in PC-NFS? Or
systems other than Solaris/SunOS?
Mostly, I'm just curious.
To convert from AFS Kerberos to NIS, it all depends on how many
users there are. If it's a small number, just create new entries
with the same loginid, & reset everyone's password. If there's
a large number, you will need to come up with a conversion strategy.
Something such as a program/server that users can run that, given
their kerberos password, will set their NIS password to be the same
thing.
Copying files could be more of a challenge. It seems most unlikely
that AFS groups, & acls, can be mechanically converted back into
NIS groups & file permissions.
-Marcus Watts
UM ITD PD&D Umich Systems Group
