[vpn] Re: vpn nfs (fwd)

[AlanCB]

Other than username/password and/or ipaddress, what other
more advanced authentication method could (should) I consider with NFS ?

greets
AlanCB

On Mon, 22 Oct 2001, Kurt Seifried wrote:

> > Thankyou for your response(s)
> > let me clarify the situation:
> >
> > In our network we have several hundred unix boxes all connected to our nfs
> > server. These boxes are ours of course, only the sysadmins are root. No
> > box is behind a firewall or in a vpn, all have a publicly assigned ip.
> > Being a university, we have assistants, professors and doctorates who
> > bring in their own laptops and need a net connection. Now I'm sure you
> > know the dangers there are when someone has root on a box and can connect
> > to our nfs server...enough said there. The further dangers of having root
> > on our network which doesnt belong to us dont even need to be mentioned.
>
> Uhmm no. Using root_squash I'm not really aware of the danger of root
> connecting to your NFS server. As for users choosing arbitrary names, well
> they can also choose arbitrary IP's assuming your infrastructure isn't
> tightly locked down (which fromt he sounds of it it isn't). You may want to
> purchase the O'Reilly NIS/NFS book, it's quite good. Have you considered
> using the more advanced authentication available in NFS rather then the
> IP/user?
>
> Or to put it bluntly, if you are worried about security why are you using
> NFS?
>
> > Is this somehow possible or is there a more simple method for people with
> > their own notebooks in our network ?
>
> Yup. See above.
>
> > greets
> > AlanCB
>
> Kurt Seifried, kurt at seifried.org
> A15B BEE5 B391 B9AD B0EF
> AEB0 AD63 0B4E AD56 E574
> http://www.seifried.org/security/
>
>
>





VPN is sponsored by SecurityFocus.com