Re: CERT, about NFS

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Scott Schwartz: "Re: CERT, about NFS"
• Previous message: Bela Lubkin: "Re: CERT, about NFS"
• Maybe in reply to: der Mouse: "CERT, about NFS"
• Next in thread: Scott Schwartz: "Re: CERT, about NFS"

> It's just flatly amazing to me how much hard labor people will
> happily endure while never addressing the real, easily fixed, bug;
> namely that NFS uses unauthenticated RPC by default.

> Not shipping kerberos (or the functional equivalent) as a fully
> integrated part of one's OS is ...

... necessary in order to ship it outside the US, thanks to your
government's brilliant restriction on letting encryption technology
(that's readily available everywhere) cross out of its borders.

I suppose NetBSD could invent some kind of RPC authentication that
doesn't use DES.  Given a cryptographically strong hash function like
MD5 or SHA, and a secret shared by server and desired client, it's easy
for the originator to certify packets and the receiver to verify them.
Whether one wants something as expensive as md5 on every nfs packet is
another question, of course.

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu

• Next message: Scott Schwartz: "Re: CERT, about NFS"
• Previous message: Bela Lubkin: "Re: CERT, about NFS"
• Maybe in reply to: der Mouse: "CERT, about NFS"
• Next in thread: Scott Schwartz: "Re: CERT, about NFS"