Which more secure alternatives to standard NFS are available?

Which more secure alternatives to standard NFS are available?

Post by Rainer Peip » Sat, 22 Jul 2000 04:00:00



Hi,

i am looking for alternatives to plain NFS which are more robust to
trivial attacks. I am not paranoid about security, but it should not
be as simple as it is with standard NFS to plug in a simple linux box,
where you have root account, mount an exported file system, switch to
a known user-id and access this files. Even windows networking ist
much more secure since it uses server side authentication.

Are there any alternatives (which work also on SGI/IRIX)?

Rainer

 
 
 

Which more secure alternatives to standard NFS are available?

Post by Sudd » Sun, 23 Jul 2000 04:00:00


I aways get a little queezy when I share directories.  :-)  I think that
sharing directories through SAMBA is more secure then NFS.  Just my opinion,
however.

>Hi,

>i am looking for alternatives to plain NFS which are more robust to
>trivial attacks. I am not paranoid about security, but it should not
>be as simple as it is with standard NFS to plug in a simple linux box,
>where you have root account, mount an exported file system, switch to
>a known user-id and access this files. Even windows networking ist
>much more secure since it uses server side authentication.

>Are there any alternatives (which work also on SGI/IRIX)?

>Rainer


 
 
 

Which more secure alternatives to standard NFS are available?

Post by Rainer Peip » Tue, 25 Jul 2000 04:00:00



> I aways get a little queezy when I share directories.  :-)  I think that
> sharing directories through SAMBA is more secure then NFS.  Just my opinion,
> however.

How do you mount SMB shares? As far as i know, one has to provide a
username/password while doing the mount. How can this be automated on
system start? And how about the user/group/other access rights?

Rainer

 
 
 

Which more secure alternatives to standard NFS are available?

Post by Bud » Tue, 25 Jul 2000 04:00:00



Quote:> Hi,

> i am looking for alternatives to plain NFS which are more robust to
> trivial attacks. I am not paranoid about security, but it should not
> be as simple as it is with standard NFS to plug in a simple linux box,
> where you have root account, mount an exported file system, switch to
> a known user-id and access this files. Even windows networking ist
> much more secure since it uses server side authentication.

> Are there any alternatives (which work also on SGI/IRIX)?

> Rainer

Are you serious?  Are you sure NFS doesn't have any type of access control?
Not flaming you, I don't know to much about NFS, but you would think there
would be something?

Jack
------
Humor or insantiy? http://geekweb.org
------

 
 
 

Which more secure alternatives to standard NFS are available?

Post by Tim Hayn » Tue, 25 Jul 2000 04:00:00





> > i am looking for alternatives to plain NFS which are more robust to
> > trivial attacks. I am not paranoid about security, but it should not be
> > as simple as it is with standard NFS to plug in a simple linux box,
> > where you have root account, mount an exported file system, switch to a
> > known user-id and access this files. Even windows networking ist much
> > more secure since it uses server side authentication.

> Are you serious?  Are you sure NFS doesn't have any type of access
> control?  Not flaming you, I don't know to much about NFS, but you would
> think there would be something?

NFS has some forms of access controls. For starters, consider:

$ cat /etc/exports
#      /etc/exports: the access control list for filesystems which may be
#      exported to NFS clients.  See exports(5).

/var/spool/mail 10.0.0.0/24(rw) *.pigsty.org.uk(rw,no_root_squash)  #   mail stuff
/var/cache/apt/archives/ *.pigsty.org.uk(rw,no_root_squash) 10.0.0.0/24(rw,no_root_squash)  # APT cache

/mnt/suse/mnt/export/netbse/root 10.0.0.3(rw,no_root_squash)
/mnt/suse/mnt/export/netbse/swap 10.0.0.3(rw,no_root_squash)
/mnt/suse/mnt/export/netbse/usr 10.0.0.3(rw,root_squash)
/mnt/suse/mnt/export/netbse/home 10.0.0.3(rw,root_squash)

/mnt/cdrom 10.0.0.3(ro)

... not to mention, doesn't it help to have portmapper set up with
/etc/hosts.{allow,deny} as well?

~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-          
| The sun is melting over the hills,         | http://piglet.is.dreaming.org/

 
 
 

Which more secure alternatives to standard NFS are available?

Post by Sudd » Fri, 28 Jul 2000 04:00:00


Here is a letter that I sent to a person requesting help:

I'd be glad to help.

There are several issues of which you should be aware.  First, in the early
days of Windows, passwords were passed "in the
clear."  That is they were not encrypted.  Even Windows 95 used unencrypted
password for a while.  But in the later releases
of Windows 95 Microsoft began to encrypt passwords.

Samba can handle either encrypted or unencrypted passwords.  However, if you
choose to use encrypted passwords,
maintenance is more difficult at the server because the encryption algorithm
that Microsoft uses is not the same as the one that
Linux uses so you must keep two password lists on the Linux box.  It can be
a real hassle for users to change their passwords.

I would recommend that if the Linux box is going to be a home server that
you do not encrypt passwords but if your network is
going to be exposed to possible packet sniffing that you use encryption.  I
only use Samba for my home server so I can't help
you much with the encryption thing.

If you choose not to encrypt and you use a very early version of Windows 95
then you're all set.  But more likely you will be
using Windows 98 in which case you must edit the registry.  If you use NT
there may be issues of which I am unaware so you'll
be on your own.

To set a Windows 95/98 box to send passwords in the clear you must use
regedit to add the following key:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\Services\VxD\VNETSUP]
"EnablePlainTextPassword"=dword:00000001

Be very careful as changing the registry can render your system unusable.

I am assuming that you have correctly installed the Samba software.  After
you install Samba, the only thing you need to do to
get the whole thing going is to configure the smb.conf file.  Samba has LOTS
of settings but luckily most of them default to a
reasonable value.  The smb.conf file looks a lot like the old Windows INI
files.  It has sections that are bracked [section name].

You must have a global section.  Below is an example.  The workgroup would
be set to your domain name.  So if your NT
domain was called "FISCAL" you would set workgroup = FISCAL.
The netbios name should be set to your server's name.  The interfaces
parameter tells Samba the IP address of the LAN card
to which it should listen.  I believe that by default it listens to all
cards.  If you server is also being used as a firewall then you
probably don't want to accept smb connections from the outside world.

[global]
    workgroup = Domain
    netbios name = ComputerName
    interfaces = 192.168.0.1
    password level = 4
    domain logons = Yes
    os level = 64
    preferred master = Yes
    domain master = Yes
    read only = No
    locking = No

You need to create a directory on your Samba server called   /export/smb
This directory is used by your Window's clients when a user logs on.  (It's
a Window's thing.)
In your smb.conf file put the following:

[netlogon]
    comment = NETLOGON service
    path = /export/smb/netlogon
    read only = Yes

Next you define the home directories.  Put the following in you smb.conf.

[homes]
    comment = Home directories
    path = %H
    valid users = %S
    create mask = 0600
    directory mask = 0700
    browseable = No

When a user logs on they will see a share with their user name.  User's can
only see their own home directories.

The next thing you want to do is to define the directories on the Linux box
that you wish to share.  The Samba shares do to
take president over the Linux permissions so be sure that the directories
that you are sharing allow the users access or
strangeness will occur.  The name inside the brackets is the name the users
will see when they browse.  It has nothing to do
with the actual directory name.  For example, lets say that you have a
directory on your Linux box called "/Data32" but you
want the user to see the name "Files" you could use the following:

[Files]
    comment = Data
    path = /Data32
    writable = yes
    create mask = 0750
    create directory = 0750

The "path" parameter tells Samba the path to the directory that you are
sharing.  The "writable"  parameter tells Samba that
users are allowed to write to the directory.  The "create mask" and "create
directory" tells samba what permissions to put on
new files and directories that are created.

This should be enough to get you started.  You should also read the doc
files and if necessary purchase a book on the subject.
Once you get things working you'll wonder why you ever thought is was
difficult.

Good luck

A user must log onto the DOMAIN to gain access to the shares.



>> I aways get a little queezy when I share directories.  :-)  I think that
>> sharing directories through SAMBA is more secure then NFS.  Just my
opinion,
>> however.

>How do you mount SMB shares? As far as i know, one has to provide a
>username/password while doing the mount. How can this be automated on
>system start? And how about the user/group/other access rights?

>Rainer

 
 
 

1. secure alternative to nfs ?

hello,

i am currently looking for a secure filesharing alternative to nfs.
we need to get the service through a firewall were rpc services are not
allowed. is there a solution that works through one fixed port (w/wo
encryption?) and authentication?
any recommendations?

thanks

2. multi-threads in the kernel.

3. secure nfs alternatives

4. Testing for success of close(), et al.

5. Secure NFS via SSH Tunneling now available

6. Top 10 posters comp.unix.shell

7. Secure Mounts without Secure NFS

8. Serial Login

9. Using samba to replace NFS / NFS alternative ???...

10. Looking for data on secure logins, NFS via secure RPC

11. Secure RPC/Secure NFS for Linux?

12. LCSDNYR 2001 -> standards, standards, standards

13. Root-NFS: No NFS server available, giving up.