Re: Is there any encrypted or secure NFS?

["Paul Smith" <pausmith@nortelnetworks.com>]

%% Mark Roach <mrroach@okmaybe.com> writes:

  mr> Note: if you tell me that he is going to boot off a knoppix CD and
  mr> crack root on the box to su to userB, you must give me at least
  mr> one example of an alternative that is not susceptible to an attack
  mr> by a malicious local root

Any method that forces the client to authenticate himself by more than
simple UID.  It must be doable since Windows SMB does it: having
Administrator privileges on your Windows box doesn't give you the
ability to read anyone else's files on a remote SMB share.

For example, there are versions of NFS that use Kerberos for
authentication.  In this scenario simply being root (which given
physical access to the box is obviously trivial) won't get you access to
someone else's files.  I don't personally know of any site that uses
this, but it's in the NFS standards.


You may argue that if you have root access on your target's box you can
snoop enough information to fake out Kerberos, and you're probably
right.  You can install trojans, for starters.  But at least you have to
have root access on _their_ box and you have to do some work that is
potentially detectable; with normal NFS all you need is root access on
your _OWN_ box, plus a trivial "su", which is far, far simpler to
accomplish, and virtually untraceable.

-- 
-------------------------------------------------------------------------------
 Paul D. Smith <psmith@nortelnetworks.com>   HASMAT--HA Software Mthds & Tools
 "Please remain calm...I may be mad, but I am a professional." --Mad Scientist
-------------------------------------------------------------------------------
   These are my opinions---Nortel Networks takes no responsibility for them.