Daniel Clark wrote: > On 8/2/06, Skylar Thompson <[EMAIL PROTECTED]> wrote: >> Daniel Clark wrote: >> > I'm putting together a "NFSv3 is disgustingly insecure, we should move >> > to OpenAFS" type presentation for my management [1]. I've found >> > explanations to be less than completely understood, so I've decided to >> > put together a demo. >> > >> >> This seems like a bit of an overreaction. Why not just Kerberize your >> NFS setup? You'll have to setup Kerberos anyways for AFS, and AFS can be >> a PIA to work with. > > Because Kerberized NFSv3 was never standardized or widely implemented, > or well documented across vendors.Here is a partial list of all of > the platforms we need to support; I have verified working IBM or > OpenAFS clients on almost all of them: > > AIX 4.3.1, 4.3.3, 5.1, 5.2, 5.3 > GNU/Linux: Debian Woody and later > GNU/Linux: Redhat 6.0 and later, RHEL 3 and later > GNU/Linux: SuSE SLES8 and later > GNU/Linux: Ubuntu Breezy Badger and later > GNU/Linux: United Linux 1.0 > Solaris/sparc: 2.6, 7, 8, 9, 10 > Solaris/x86: 10
With this system list, I can see where AFS might be better. You might also check NFSv4, though. > If you can point me to a site describing how to set up Kerberized > NFSv3 across all of these platforms, I'd love to see it. I know the Linux one here: http://www.citi.umich.edu/projects/nfsv4/linux/ > Also I'm not a Kerberized NFSv3 expert, but it would be hard for me to > believe that it would solve *all* of the numerous NFSv3 security > problems. > >> Where I work, we're moving off AFS to Kerberized NFS because AFS can be >> difficult to work with. > > You must have limited platform support requirements :-) Indeed. In fact, I come from a FreeBSD environment where AFS isn't even an option. ;) > I've also admined both, and have had far more problems with NFSv3, > esp. with things sort-of-but-not-really working in difficult-to-debug > ways, weird performance issues, and the automounter code, which is > different for each platform, can work in inconsistant ways, and often > requires a reboot of the machine to fix. I find that sticking with server platforms with known-good NFS implementations (i.e. not Linux) and UDP is a good approach. FreeBSD and Solaris have both done well in my experience. The Linux NFS server implementation has given no end of problems. -- -- Skylar Thompson ([EMAIL PROTECTED]) -- http://www.cs.earlham.edu/~skylar/
signature.asc
Description: OpenPGP digital signature
