Xref: utzoo comp.os.os2.misc:469 comp.os.os2.apps:60 Path: utzoo!attcan!uunet!bywater!arnor!news From: yozzo@ibm.com Newsgroups: comp.os.os2.misc,comp.os.os2.apps Subject: RE: TCP/IP & NFS Client for OS/2 systems; what's out there? Message-ID: <1990Dec13.000905.24664@arnor.uucp> Date: 13 Dec 90 00:09:05 GMT Sender: news@arnor.uucp (NNTP News Poster) Organization: IBM T.J. Watson Research Center Lines: 83 > > In article <1990Dec5.153030.28086@arnor.uucp> yozzo@ibm.com writes: > >> > >> We're looking for an OS/2 TCP/IP implementation and NFS client with > >> authentication. > >> > >> Please don't mention the IBM version 1.1 TCP services; these allow people to > >> EASILY spoof any UID on the network! That is, you set your UID and GID > >> through environment variables rather than provide any authentication! When > >> I saw this I nearly freaked out..... > >> > >> Needless to say, this is rather insane! So much for the security we have > >> managed to build over the past several months. > >> > >> Does anyone have a TCP/IP suite for OS/2? If so, please forward the info. > >> Ads and pay-ware are just fine.... > > > >The real trouble lies in the AUTH_UNIX authenication scheme. > >For better security, use the AUTH_DES authenication scheme. > > > >Currently, IBM OS/2 TCP/IP does not support the AUTH_DES security > >scheme. > > >------------------------------------------------------------------------------ > >| Ralph E. Yozzo | DISCLAIMER: The opinions expressed | > >| IBM Thomas J. Watson Research Ctr. | herein are the Authors. | > > > IE: IBM's OS/2 TCP/IP implementation doesn't support any security, and > if you have NFS-exported filesystems on your network, you're hosed > should anyone decide to take advantage of the "hole". If you're > foolish enough to have "root" mapped to uid 0, then you can be > REALLY hosed. Take note, diskless-workstation boot nodes! > > I >know< that AUTH_UNIX isn't perfect. However, many vendors (B&W, Sun, > etc) have managed to make a reasonable pass at doing authentication by using > a daemon for this. It's not perfect, but it's much better than nothing at > all! (Environment variables?!) > > You won't stop a dedicated hacker, no. We don't have to. This is a > corporate environment; I can safely operate on the assumption that the > people who work here are working here, not hacking into our network for fun > and profit. However, this "hole" just makes it too easy and tempting. I > certainly can't sanction this product's use at Nielsen in it's present form. > > How and why did IBM release something which they >knew<, in advance, was > this dangerous to network security? > > I did note that they DID do something about MVS NFS servers; there's a login > program for them. But only if your server is a MVS machine.... which most > aren't. > > I have no intention of letting that package anywhere near our network, > unless I emasculate it first and remove things like NFS from the stack. > > If IBM decides to fix it, it has the appearance of a real nice package. Right > now it's a time bomb waiting to go off. > > Alternatives welcome. > > -- > Karl Denninger AC Nielsen > kdenning@ksun.naitc.com > (708) 317-3285 > Disclaimer: Contents represent opinions of the author; I do not speak for > AC Nielsen on Usenet. A future version of OS/2 NFS should have AUTH_DES support. We had AUTH_UNIX authentication using the PCNFSD daemon but it was removed becausing the testing group did not feel that they could test it in time. I agree that OS/2 NFS shows the weakness in AUTH_UNIX, but anyone one using AUTH_UNIX should be aware of this problem. A unix user can write a program and say that they are any user they wish (except root). Does this mean that you are going to remove all the AUTH_UNIX NFS servers are from your network? It does not have to be a hacker. It only takes one program that accepts parameters as to what uid and gid you would like to be. Ralph E. Yozzo