On Wed, 11 Apr 2001, Derek Martin <[EMAIL PROTECTED]> wrote:
...
> Ignoring bugs (meaning programming errors; code that does not do what
> it was intended to do), RPC suffers from at least one inherent design
> flaw from a security perspective. That is, it depends solely on
> host-based authentication for granting access to services. If you
> haven't heard by now, it's very easy to spoof an IP address, and it's
> even possible to forge a name lookup, so these things really can't be
> trusted for providing authentication to "sensitive" services. The
> result of which is that it's fairly easy to trick RPC services into
> doing things they shouldn't do, if you know what you're doing.
BTW, has anyone on the list used Secure-RPC / nis+ in a production
environment? Any pros/cons to report? I recall hearing the key size
was considered too small (but it seems like it could be jacked up, no?)
I recall seeing mention of a Linux Secure-RPC implementation a few
years back, but haven't followed it.
Thanks,
Karl
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
