is NFS secure ?

Shekhar Dhotre sdhotre at Cedardoc.com
Thu Aug 31 16:43:54 UTC 2006 

>>It works great for a secured Data center network where all machines
are >>hidden behind a firewall and can somewhat trust each other and
there is no >>public access.


  Isn't the same applicable to telnet?

-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Wayne Pinette
Sent: Thursday, August 31, 2006 12:37 PM
To: redhat-list at redhat.com; vzlatkin at redhat.com
Subject: Re: is NFS secure ?

Agreed in most points.   Basically NFS's power and weakness is it trusts
the IP network it is on, and that is all.  It works great for a secured
Data center network where all machines are hidden behind a firewall and
can somewhat trust each other and there is no public access.  Not so
good at all for public mounting.  It's too bad too, because if someone
ever came up with an NFS that required a simple certificate verification
handshake upon connection, (so the nfs daemons didnt trust the network,
they trusted the certficiate) then it would be much better and safer to
use in public area.  

Just my 2 cents worth.

Wayner

P.S.
root_squash means that root on the local machien does NOT have root
access to the nfs drives.  Unfortunately nothing stops you from faking
the userid of other users on your linux distribution on your laptop,
then filesharing into their files once your laptop is on the network.

>>> vzlatkin at redhat.com 08/31/06 9:26 am >>>
Certainly a vague question.  I think of it from the perspective of how

hard is it for me to see someone else's nfs data.  The answer is: very
easy.

Take a common scenario where many users mount their home directory via

nfs, and you use root_squash.  To gain access to a user's data all you

need is root on a machine that can mount any home directory.  Then just

su - [username] and you'll have access.  Some magic required, but that

is pretty insecure.

I've never tried nfs over ssh, but I know you can restrict the
different 
nfs components to use a specific port instead of portmap. Therefore, it

should be possible to do nfs over ssh.

-Vlady

Miner, Jonathan W (CSC) (US SSA) wrote:
> Hi -
> 
> Asking if something is "secure" is a pretty vague question... Whether
your system is secure or not depends on how you are using it, and what
level of security you need. I can't speak for NFSv4 yet.
> 
> See the manual page for /etc/exports to learn how to restrict who can
mount your filesystems, read-write or read-only, and whether the
clients' root account has privs or not.
> 
> You could even use iptables (or another firewall) to restrict
clients.
> 
> NFS does not encrypt traffic, but it might be possible to run NFS
over an VPN or SSH-tunnel.
> 
> 
> -----Original Message-----
> From:	redhat-list-bounces at redhat.com on behalf of Shekhar
Dhotre
> Sent:	Thu 08/31/2006 08:58 AM
> To:	General Red Hat Linux discussion list
> Cc:	
> Subject:	RE: is NFS  secure ?
> 
> So, NFS versions before NFSv4 were not secure right ?
> 
> -----Original Message-----
> From: redhat-list-bounces at redhat.com 
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Anze Vidmar
> Sent: Thursday, August 31, 2006 8:53 AM
> To: General Red Hat Linux discussion list
> Subject: Re: is NFS secure ?
> 
> On Thu, 2006-08-31 at 08:48 -0400, Shekhar Dhotre wrote:
> 
>> OK ,   Is NFS secure ? 
> NFSv4 is.
> 
> 

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe 
https://www.redhat.com/mailman/listinfo/redhat-list

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list