Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!mintaka!spdcc!rbraun From: rbraun@spdcc.COM (Rich Braun) Newsgroups: comp.protocols.nfs Subject: Re: PCNFS Security Problems - Questions Message-ID: <7680@spdcc.SPDCC.COM> Date: 29 May 91 16:16:35 GMT References: <1991May28.180655.1@gsb-yen.stanford.edu> <1991May29.173651.17409@rusmv1.rus.uni-stuttgart.de> Organization: Kronos Inc., Waltham, Mass. Lines: 33 ps3@ph3hp840.physik.uni-stuttgart.de (ps-Gruppe) writes: >I think that using PCNFS is not a security problem, because the PCNFSD >( the daemon for PCNFS on your workstation) queries for your password, when >mounting NFS. The level of security probably depends mainly on the sophistication of your users. If you grant physical access to the Ethernet cable itself to a PC user, a sophisticated PC user should be able to get access to any file on the network. Period. At the very least, a user could program the PC to "sniff" the network for packets containing passwords, as they go by. At a greater level, the user could program it to masquerade as another system on the network and give out fake user IDs in RPC calls for file access. Neither Ethernet nor NFS were designed for high security. Unix systems typically don't allow direct access to the IP packet interface, so a user logging into a Unix system probably can't write a program which can masquerade as something else. But a DOS user could do this easily enough. If you want high security, make sure the Ethernet can be physically accessed only by systems which rigidly control access to the IP network layer. Or use a different system for authentication (MIT's kerberos, etc). We have the U.S. government to thank for this situation: data encryption would be much further along were it not for the NSA's desire to quash any truly useful encryption scheme, in the interest of preventing spies from getting cheap access to mathematically superior coding algorithms. We can also thank Big Business, which hasn't yet shown much interest in creating secure networks. But don't blame the developers of NFS or of the PC, who never had "high security" in mind to begin with. -rich