From: Shaya Potter (spotter@cs.columbia.edu)
Date: 01/16/03-12:34:22 PM Z
Subject: Re: NFSv4 security model From: Shaya Potter <spotter@cs.columbia.edu> Message-Id: <1042742061.32390.252.camel@zaphod> Date: 16 Jan 2003 13:34:22 -0500 On Thu, 2003-01-16 at 12:51, Mike Eisler wrote: > Shaya Potter wrote: > > > >I'm trying to understand the NFSv4 Security model, and am wondering if > >anyone has any good pointers (beyond the RFC) on it (papers, talk > >slides...) > > > At www.connectathon.org there are talks from 1995 onward > that deal with security for NFS and RPC. Authors of interest include > Dan Nessett, Lin Ling, Ram Marti, Jack Kabat, and Mike Eisler. There's > nothing specific about the security model because the model > is essentially that of NFS over AUTH_DES (since renamed to AUTH_DH, > and now deprecated). The white paper by Goldberg and > Taylor from the Summer 1986 USENIX Conference has a clean description > of the model. > thanks, I'll take a look. > > > >also a simple question. Is the security model made in a way that allows > >one to authenticate the entire client machine i.e. get the security one > >would get from running current NFS over ipsec, but w/o the ipsec > >requirement. (uid/gid pair of process of client determines access > >rights) > > > > NFSv4 mandates the implementation of RPCSEC_GSS > w/ Kerberos V5, SPKM-3, and LIPKEY. > Like AUTH_DH, the mandatory security mechanisms are oriented toward > authenticating individual users, and not > client machines. There's nothing preventing one from deploying > security mechanisms for NFSv4 that authenticate machines, but > since those mechanisms are not mandatory, the in theory the chances of > achieving interoperability are lower. That said, I'm sad to say > that AUTH_SYS and its de-facto trusted client model are likely > to be used with NFSv4 for a long time, simply because it > it is trivial to set up compared to anything that is actually > secure. ok, this might be a stupid question, but it seems accepted that AUTH_SYS doesn't provide any real security (except if one is using IPSEC or has extreme physical security) as one could easily impersonate a machine, so why wasn't their any middle ground taken, such as an AUTH_SYS that supported secrecy/privacy and integrity, much like the RPCSEC_GSS module does. Is the reason nothing like this has been done because "if you want that, just use AUTH_SYS with IPSEC" or is there a different reason. thanks, shaya potter
This archive was generated by hypermail 2.1.2 : 03/04/05-01:50:46 AM Z CST