On Sun, 28 Oct 2001, "Derek D. Martin" <[EMAIL PROTECTED]> wrote:
>
> On Sun, Oct 28, 2001 at 08:58:21AM -0500, Ron Peterson wrote:
> > NFSv2 and v3 are both insecure. If the client computer is on my desktop,
> > I can reinstall Linux, give myself root, and then connect as any user I
> > want.
...
> If you want to learn how to manage Kerberos, that may work for you...
> But I'm not sure if there is a good implementation of kerberized NFS
> for Linux. I think this again may be in the realm of NFSv4.
If someone is bold enough to try it, I'd love to hear a report of how
NFSv4 works in solving this problem on Linux in a business situation.
An open source implementation is at:
http://www.citi.umich.edu/projects/nfsv4/index.html
I don't know how robust this is, but perhaps it is ready for some
folks to do a limited test deployment (i.e. some guinea pigs at work).
Or even just a careful critique w/o actually installing it.
Personally, I am not so interested in the bugs in the above implementation
since those can be fixed, but I am more interested in if this sort of
thing effectively solves this file-sharing problem in the Real World(tm).
Presumably when a user logs in (on a machine) correctly with his Unix
passwd that gets a kerberos ticket to allow access to the NFS shares and
etc. This sounds good but I can see some things that are out of scope
(e.g. the physical security of a box: an evil employee installs a
hacked nfsv4-ized linux kernel on a lab machine and waits for an
unsuspecting employee to log into it).
Karl
*****************************************************************
To unsubscribe from this list, send mail to [EMAIL PROTECTED]
with the text 'unsubscribe gnhlug' in the message body.
*****************************************************************
