Date: Fri, 3 Apr 1998 02:02:49 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Mark Murray <mark@grondar.za> Cc: Narvi <narvi@haldjas.folklore.ee>, freebsd-security@FreeBSD.ORG Subject: Re: Is there a safe way for filesystem export? Message-ID: <Pine.BSF.3.96.980403015815.21311R-100000@fledge.watson.org> In-Reply-To: <199804030634.IAA00305@greenpeace.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 3 Apr 1998, Mark Murray wrote: > > I think there is an option to NFS to use kerberos tickets to authenticate > > users/user actions. > > The option is there, but the Kerberos code to do it is incomplete. Distributed file systems such as AFS, DFS, and Coda can make use of Kerberos (in various ways) to authenticate user operations with Kerberos. I know that AFS and Coda both maintain a pool of authenticated connections per user on a client host, and the server verifies that operations come over authenticated connections. AFS and DFS are, of course, commercial products, and are probably far higher-overhead than what you are looking for (they are *not* equivilent to NFS in behavior -- closed servers and all :). Coda is freely available (ports exist for FreeBSD, NetBSD, Linux, and Mach), but is still under development. The Kerberos code is not currently integrated into the main distribution available for download, but should be in there within a version or so. I am currently making protocol-level changes to the RPC package used by Coda, and we have not tested it fully. Coda is also not a drop-in replacement for NFS, as it is also designed with dedicated servers, etc, in mind. AFS and DFS are available from Transarc, http://www.transarc.com/ Coda is an ongoing research project at Carnegie Mellon University, http://www.coda.cs.cmu.edu/ None of this is immediately related to NFS and Kerberos, however. :) To secure NFS between my hosts (which trust each other), I use a combination of private networks, secure IP tunneling using custom softare and SKIP, and packet filters. I'd rather use Coda, but it is not yet sufficiently stable to use in a production environment. Robert N Watson ---- Carnegie Mellon University http://www.cmu.edu/ Trusted Information Systems http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980403015815.21311R-100000>