mailing list archives
Re: Secure NFS
From: Bear Giles <bgiles () coyotesong com>
Date: Thu, 27 Feb 2003 11:09:29 -0700
> I've been wondering about this for a while now...
Everybody knows NFS is insecure. Right. So no-one uses it. Why not simply
modify NFS to use encryption? Why not?
Not tunneling, modify the source to either (a) establish ssl connections, or
(b) manually encrypt all traffic (I would prefer this
(I'm coming in late, so maybe this has already been mentioned.)
Standard NFS is built on top of standard RPC, and the latter is
insecure because almost all sites support "unix authentication" at
best. That's user-id based, trivially forged by anyone with root
But RPC is an extensible protocol and there are a number of secure
alternatives to Unix authentication. RPC-DES has been around for
years, and RPC-GSSAPI (Kerberos) almost as long. I don't recall
seeing RPC-PKIX (SSL), but it's an obvious extension. Use any of
these, and truly secure NFS falls out of it. All you have to do
is make a trivial change to the NFS client and server to require
the secure alternative, plus whatever changes you need to access
the new authentication objects.
The latter has been the killer. It's not impossible - SecureNFS
and SecureRPC (using DES) have been on the market for years - but
it requires a nontrivial amount of work to set up. The
traditional Unix vendors could afford the investment, but the OSS
community largely (and falsely) believes that SSH tunnels
eliminate the need for this. SSH tunnels might work great when
connecting a handful of systems, but it doesn't scale well.