Xref: utzoo comp.os.os2.misc:461 comp.os.os2.apps:57 Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!lll-winken!uunet!bbs!karl From: karl@naitc.naitc.com (Karl Denninger) Newsgroups: comp.os.os2.misc,comp.os.os2.apps Subject: Re: TCP/IP & NFS Client for OS/2 systems; what's out there? Summary: AUTH_UNIX isn't real secure, but it's not NOTHING! Message-ID: <1990Dec11.164938.27964@naitc.naitc.com> Date: 11 Dec 90 16:49:38 GMT References: <1990Dec5.153030.28086@arnor.uucp> Reply-To: karl@bbs.naitc.com (Karl Denninger) Organization: A.C. Nielsen Co. Lines: 65 In article <1990Dec5.153030.28086@arnor.uucp> yozzo@ibm.com writes: >> >> We're looking for an OS/2 TCP/IP implementation and NFS client with >> authentication. >> >> Please don't mention the IBM version 1.1 TCP services; these allow people to >> EASILY spoof any UID on the network! That is, you set your UID and GID >> through environment variables rather than provide any authentication! When >> I saw this I nearly freaked out..... >> >> Needless to say, this is rather insane! So much for the security we have >> managed to build over the past several months. >> >> Does anyone have a TCP/IP suite for OS/2? If so, please forward the info. >> Ads and pay-ware are just fine.... > >The real trouble lies in the AUTH_UNIX authenication scheme. >For better security, use the AUTH_DES authenication scheme. > >Currently, IBM OS/2 TCP/IP does not support the AUTH_DES security >scheme. >------------------------------------------------------------------------------ >| Ralph E. Yozzo | DISCLAIMER: The opinions expressed | >| IBM Thomas J. Watson Research Ctr. | herein are the Authors. | IE: IBM's OS/2 TCP/IP implementation doesn't support any security, and if you have NFS-exported filesystems on your network, you're hosed should anyone decide to take advantage of the "hole". If you're foolish enough to have "root" mapped to uid 0, then you can be REALLY hosed. Take note, diskless-workstation boot nodes! I >know< that AUTH_UNIX isn't perfect. However, many vendors (B&W, Sun, etc) have managed to make a reasonable pass at doing authentication by using a daemon for this. It's not perfect, but it's much better than nothing at all! (Environment variables?!) You won't stop a dedicated hacker, no. We don't have to. This is a corporate environment; I can safely operate on the assumption that the people who work here are working here, not hacking into our network for fun and profit. However, this "hole" just makes it too easy and tempting. I certainly can't sanction this product's use at Nielsen in it's present form. How and why did IBM release something which they >knew<, in advance, was this dangerous to network security? I did note that they DID do something about MVS NFS servers; there's a login program for them. But only if your server is a MVS machine.... which most aren't. I have no intention of letting that package anywhere near our network, unless I emasculate it first and remove things like NFS from the stack. If IBM decides to fix it, it has the appearance of a real nice package. Right now it's a time bomb waiting to go off. Alternatives welcome. -- Karl Denninger AC Nielsen kdenning@ksun.naitc.com (708) 317-3285 Disclaimer: Contents represent opinions of the author; I do not speak for AC Nielsen on Usenet.