On Sat, Apr 10, 2004 at 12:15:29AM -0400, Tanner Lovelace wrote: > Aaron S. Joyner said the following on 4/9/04 10:40 PM: > > [... lots of cool info snipped ...] > > >similar. If you ever get the urge to considering doing NFS over a > >public network, don't. At least use SFS.
Good poop. > > Or better yet, use something built to work over WANS like AFS. I was going to check out the AFS googles, but this from the SFS FAQ (http://www.fs.net/sfswww/) stopped me in my tracks: NFS, for example, transmits secret file handles in every file system request. An attacker who learns the file handle of even a single directory can access the entire file system as any user. AFS, another widely-used network file system, does not keep the contents of private files secret from network eavesdroppers. Moreover, AFS uses an insecure message authentication code (MAC) to protect the integrity of communication between clients and servers. An active attacker can, with very little computation, tamper with and change the contents of AFS messages in transit. Coda has approximately the same security properties as AFS. > > I'll also add that the reason I suggested Samba instead of NFS > was that even though NFS is easy to setup on Linux, it's not > quite as easy to setup on OS X. I run NFS at home and it > works fine. Performance isn't an issue, but then again, > I don't have a lab full of machines. Me too. Lot's of machines with one user is OK for NFS too. Not much security risk either. OTH, I've been training myself to go secure whenever I can. I use ssh and scp in my one-man lab. Now I am wondering if Samba is a security hole? Samba on LInux is not so bad. Sounds like the alternative (NFS on OSX) is awful. Probably get more better free help on Samba/Linux than OSX/NFS too. -- Mike Moving forward in pushing back the envelope of the corporate paradigm. -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
