From owner-freebsd-questions Wed Jul 3 14:17:20 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA26154 for questions-outgoing; Wed, 3 Jul 1996 14:17:20 -0700 (PDT) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id OAA26147 for ; Wed, 3 Jul 1996 14:17:16 -0700 (PDT) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id OAA11265; Wed, 3 Jul 1996 14:06:35 -0700 From: Terry Lambert Message-Id: <199607032106.OAA11265@phaeton.artisoft.com> Subject: Re: Secure NFS To: wollman@lcs.mit.edu (Garrett Wollman) Date: Wed, 3 Jul 1996 14:06:35 -0700 (MST) Cc: terry@lambert.org, compland@ism.com.br, questions@freebsd.org In-Reply-To: <9607032046.AA09843@halloran-eldar.lcs.mit.edu> from "Garrett Wollman" at Jul 3, 96 04:46:11 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > >> Is it possible to set portmon variable, like in SunOS, in Freebsd to > >> watch out the NFS mounts, forcing the request to come from a privileged port ? > >> It's possible to set secure NFS in Freebsd ? > > > This is the default. You must use -n to disable it (man mountd). > > Of course, this really has nothing to do with security, it's just a > stupid restriction on Sun's part to paper over the fact that standard > NFS isn't secure. It's more secure in the sense that vouchsafe authentication is more secure than not having passwords at all. The question is in how you define, firewall, and administer vouchsafe secure zones. It is *possible* to do this in a reasonable way, even if many of us dislike the idea because the typical administrator does not have enough experience to do it correctly. It is a tightrope, and it is possible to walk a tightrope, but few people can do it correctly. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.