On 15 Nov 2002, Meir Michanie wrote: > The problem with using nfs today is authentication (don't read > authorization, it may be another problem). > > NFS and PORTMAP relay on trusted hosts, you could use ips ordns names, > or * (wilcards?) > > spoffing this is as simple mounting the nfs share using edited local > /etc/passwd. > > You may say that how did you get access to the root account on the > client? > who needs to brake the client when you can come with your own laptop. > > One solution is using NFS over ssh. > > to do this you need: > > 1. edit /etc/exports to something like > /home localhost(rw,root_squash,secure) > > 2. generate a private key for root and put it in every client machine > (ssh requires the file to have permision --- for group and others. > 2.1 copying the public key to .ssh/authorized-keys
Can that key be limited to running only one command (or script?) This will limit the impact of a possible breach. -- Tzafrir Cohen mailto:[EMAIL PROTECTED] http://www.technion.ac.il/~tzafrir ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
