Bugtraq mailing list archives
Re: NFS exporting
From: smb () research att com (smb () research att com)
Date: Wed, 13 Apr 94 15:31:00 EDT
Here's what I posted to Firewalls on ``secure'' NFS. You may want to consult its archives for more on NFS; they're on ftp.greatcircle.com. --Steve Bellovin ------- Forwarded Message To: jak () mentat com cc: Marcus J Ranum <mjr () tis com>, firewalls () GreatCircle COM Subject: Re: General questions from a firewall neophyte Date: Wed, 30 Mar 94 09:48:59 EST
2. Little seems to be said about secure NFS or RPC in firewall discussions. Am I perhaps missing something? We have employees with machines at home who would like to NFS mount file systems across the Internet. I gather that some sites actually permit this on isolated machines, but product literature and papers I've read don't seem to talk about this much. I know that "secure NFS" has its own discussion group, but it seems like firewalls shouldn't completely ignore the topic.
Marcus covered everything quite well; let me add a few more details about secure NFS. First of all, ``secure NFS'' is an incorrect term. Rather, it's NFS using DES-authenticated RPC. Any other RPC-based service could use DES authentication; however, no other standard ones do. Second, the DES authentication key is exchanged using Diffie-Hellman exponential key exchange. Unfortunately, the modulus size used by Sun is too small -- it's been cryptanalyzed by LaMacchia and Odlyzko. Worse yet, the user's private key is stored in /etc/publickey protected by DES encryption, along with a cleartext public key. And the DES key? The user's password, of course. Can you say ``password cracking''? In other words, using this feature negates the beneficial effect of using a shadow password file. Additionally, the key distribution mechanism seems to be very closely tied to NIS. At least, I couldn't make it work without enabling NIS, though admittedly I didn't try particularly hard. And I'm *not* going to run NIS over the Internet, thank you! It might be possible to set up all the keys via NIS on the central site and hand-carry them to home machines. But then they might have to run NIS locally, which is a pain. There are more issues as well, but the margin of this note is too small for them to fit. --Steve Bellovin
Current thread:
- NFS exporting Scott D. Yelich (Apr 13)
- Re: NFS exporting Perry E. Metzger (Apr 13)
- Re: NFS exporting Mike Evans (Apr 13)
- Re: NFS exporting Aggelos D. Keromitis (Apr 13)
- Re: NFS exporting Perry E. Metzger (Apr 13)
- Re: NFS exporting Michael Neuman (Apr 13)
- Re: NFS exporting Perry E. Metzger (Apr 14)
- Re: NFS exporting Paul Graham (Apr 14)
- Re: NFS exporting Perry E. Metzger (Apr 15)
- Re: NFS exporting Perry E. Metzger (Apr 13)
- <Possible follow-ups>
- Re: NFS exporting smb () research att com (Apr 13)
- Re: NFS exporting Carl Corey (Apr 13)
- Re: NFS exporting Perry E. Metzger (Apr 14)
- Re: NFS exporting Rob Quinn (Apr 14)
- Re: NFS exporting Perry E. Metzger (Apr 14)
- Re: NFS exporting Perry E. Metzger (Apr 14)
- Re: NFS exporting Aggelos D. Keromitis (Apr 14)
- Re: NFS exporting Steve Simmons (Apr 14)
- Re: NFS exporting Perry E. Metzger (Apr 14)