On Thu, Jul 24, 2003 at 10:14:39PM +0800, Bopolissimus Platypus wrote:
> I am, however, concerned about the fact that anyone who can fake my IP
> (e.g., if i'm not in the office or my computer is off) can get all my
> access rights on the nfs server simply by setting his IP to mine and
> setting his uid to mine).
Just note that SMB isn't really secure, either. Most setups (not saying
all because I don't know how the newer authentication things work) will
have passwords sent in NT4 hashes going over the wire, and from what
I've read NT4 hashes are "good as plaintext". You have to trust your
local network with these things.
> Is there a good way to require password or certificate authentication
> for NFS? I suppose that I could do something like that with a PPP
> tunnel or VPN connection, but I was hoping there was a simpler way to
> do that.
Luckily, a number of projects that aim to fix the security problems of
NFS exist. The most obvious is SFS[1] which stands for "Self-Certifying
File System". From the FAQ:
# Why should I use SFS?
You should use SFS to improve the security of your local-area
network, to gain remote file system access where you can't currently
have it, or to set up a file server where currently servers are
under centralized control.
- Improve local-area network security. Current network file
systems trust the networks they run over. An attacker who
compromises one machine on an ethernet can usually take over
many of the other machines by exploiting the file system
protocols.
NFS, for example, transmits secret file handles in every file
system request. An attacker who learns the file handle of even
a single directory can access the entire file system as any
user. AFS, another widely-used network file system, does not
keep the contents of private files secret from network
eavesdroppers. Moreover, AFS uses an insecure message
authentication code (MAC) to protect the integrity of
communication between clients and servers. An active attacker
can, with very little computation, tamper with and change the
contents of AFS messages in transit. Coda has approximately
the same security properties as AFS.
- Gain remote file access. If you have a cable modem at home,
maybe you would like to access a file server at work from your
home (or vice versa). If you are collaborating with people at
a different institution, sharing a common file system may be
far more convenient than remotely logging into each other's
machines all the time. Such file sharing examples are often
impractical with existing file systems, either because of
security concerns or because of the administrative hassles
involved in coordinating the sharing. SFS is specifically
designed to make file sharing across the Internet both secure
and trivial to set up.
- Create a new server. In many environments, particularly
AFS/kerberos environments, all file servers and user accounts
are centrally maintained. You cannot set up your own file
server or create guest accounts without involving a privileged
administrator. SFS, in contrast, lets you create a file server
on your own machine and access that server from any other
machine (even clients you are not root on, as long as those
machines run the SFS client software). There is no
administrative overhead for accessing many, separately
administered SFS servers. Thus, the fact that your server is
not technically in the same administrative realm as the others
will in no way complicate your life.
I haven't actually used SFS, though. This is a combination of not having
enough time and machines to play around with, and the fact that for our
environment here NFS and SMB have both been acceptable. You'll also note
from the FAQ, which I recommend you read, that for a number of
situations SFS may work but will be a little less convenient than
normal. One such situation is when you want to export/share your home
directory.
Aside from other distributed filesystems that have security mechanisms
in place (like the Coda File System[2], for example), you can also use
the SHFS/SSHFS or Secure Shell File System[3]. This is a Linux kernel
module that allows you to mount -ANY- remote directory via SSH.
--> Jijo
[1] http://www.fs.net/sfswww/
[2] http://www.coda.cs.cmu.edu/
[3] http://shfs.sourceforge.net/
--
Federico Sevilla III : http://jijo.free.net.ph : When we speak of free
Network Administrator : The Leather Collection, Inc. : software we refer to
GnuPG Key ID : 0x93B746BE : freedom, not price.
--
Philippine Linux Users' Group (PLUG) Mailing List
[EMAIL PROTECTED] (#PLUG @ irc.free.net.ph)
Official Website: http://plug.linux.org.ph
Searchable Archives: http://marc.free.net.ph
.
To leave, go to http://lists.q-linux.com/mailman/listinfo/plug
.
Are you a Linux newbie? To join the newbie list, go to
http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
