Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!psuvax1!brutus.cs.uiuc.edu!wuarchive!wugate!uunet!mcsun!ukc!icdoc!qmc-cs!liam
From: liam@cs.qmc.ac.uk (William Roberts)
Newsgroups: comp.protocols.nfs
Subject: Re: Security of PC-NFS
Summary: Just as bas as Mac NFS
Message-ID: <1200@sequent.cs.qmc.ac.uk>
Date: 31 Aug 89 19:24:55 GMT
References: <188@titania.warwick.ac.uk>
Reply-To: liam@cs.qmc.ac.uk (William Roberts)
Organization: Computer Science Dept, Queen Mary College, University of London, UK.
Lines: 35
Expires:
Sender:
Followup-To:
Distribution:
Keywords:

In article <188@titania.warwick.ac.uk> cudcv@warwick.ac.uk (Rob McMahon) writes:
>Are there any plans to make PC-NFS at least moderately secure ?  I have had my
>fears about it, and an article here not long ago confirmed that the uid & gid
>are kept unencrypted and alterable on the PC, so that anyone using PC-NFS can
>trivially pretend to be any usercode he feels like by poking these values.

What did I say?  In NFS "the server trusts the clients", and it
is deeply unwise to entrust user authentication to a machine
whose OS (MacOS, MS-DOS) doesn't have any notion of user.

>Where does Kerberos fit into the picture ?

Kerberos provides a trusted third party (the authentication
server) which produces unforgeable, testable proof-of-identity
tokens that can be quoted by the client and checked by the
server (if it desires). This uses a form of public key
encryption and allows the clients to check the identity of the
servers. It reduces the trust element to something approaching
a minimum, namely;

1) Is the authentication server trusted (Yes, lock it in very
   safe place with no other software besides the authentication code).
2) Is the machine through which I obtain my token actually
   stealing my password as I type it in?
3) Is the machine I'm using continuing to quote my token
   after I've left (and before it expires)?

2 & 3 have some obvious physical approaches involving all the
usual military nonsense of fingerprints, sealed modules etc.
-- 

William Roberts         ARPA: liam@cs.qmc.ac.uk
Queen Mary College      UUCP: liam@qmc-cs.UUCP    AppleLink: UK0087
190 Mile End Road       Tel:  01-975 5250
LONDON, E1 4NS, UK      Fax:  01-980 6533