Date: Sun, 14 Jan 2001 21:14:05 -0800 From: Brooks Davis <brooks@one-eyed-alien.net> To: David Andreas Alderud <aaldv97@student.vxu.se> Cc: _Security <security@FreeBSD.ORG> Subject: Re: Encrypted networked filesystem needed Message-ID: <20010114211405.A10193@Odin.AC.HMC.Edu> In-Reply-To: <003e01c07db6$fac4b850$6400a8c0@xgod>; from aaldv97@student.vxu.se on Sun, Jan 14, 2001 at 12:17:20AM %2B0100 References: <Pine.NEB.3.96L.1010112213123.14123C-100000@fledge.watson.org> <003e01c07db6$fac4b850$6400a8c0@xgod>
next in thread | previous in thread | raw e-mail | index | archive | help
[Please wrap lines to < 80 columns.] On Sun, Jan 14, 2001 at 12:17:20AM +0100, David Andreas Alderud wrote: > It might be a good idea to take a look at NIS+ if you want to use NFS, > there still some problems but considering how simple it is to > use NIS+ it's really good, NIS+ removes most if the problems with DNS. > The reasons for using NIS+ is mainly because it's designed to work > with NFS, both coming from Sun Microsystems. The sad fact is that if you can't trust your wire, you can't trust NIS+. It's vulnerable to even the lamest man in them middle attack. The basic problem is that SecureRPC (on which NIS+ is based) doesn't validate the body of the packet, just the headers. For example, it's quite trivial to write a man in the middle attack that turns any valid user into a user with an arbitrary user id (perhaps zero ;-) and a known password if you use NIS+ for logins. -- Brooks -- Any statement of the form "X is the one, true Y" is FALSE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010114211405.A10193>