> It's just flatly amazing to me how much hard labor people will > happily endure while never addressing the real, easily fixed, bug; > namely that NFS uses unauthenticated RPC by default. > Not shipping kerberos (or the functional equivalent) as a fully > integrated part of one's OS is ... ... necessary in order to ship it outside the US, thanks to your government's brilliant restriction on letting encryption technology (that's readily available everywhere) cross out of its borders. I suppose NetBSD could invent some kind of RPC authentication that doesn't use DES. Given a cryptographically strong hash function like MD5 or SHA, and a secret shared by server and desired client, it's easy for the originator to certify packets and the receiver to verify them. Whether one wants something as expensive as md5 on every nfs packet is another question, of course. der Mouse mouse@collatz.mcrcim.mcgill.edu