need help with NFS and user authentication

[Craig White]

On Sat, 2009-02-28 at 19:10 -0700, Alex Dean wrote:
> On Feb 28, 2009, at 5:16 PM, Bob Elzer wrote:
> 
> >>> I could probably change uids everywhere so they all match on all
> > machines, but this seems 1.
> > klunky and 2. really insecure.
> 
> Granted, it's a small network with few nodes.  Changing uids is  
> probably workable in this case, and may be the solution I end up going  
> with.  But it doesn't seem like it scales very well.  If I'm uid 1000,  
> how hard is it for any random person to create some uid 1000 on their  
> machine, connect to the network, and access my files with my  
> permissions?  That seems pretty insecure to me.
> 
> Take a look at this for a similar issue : http://nfsworld.blogspot.com/2006/02/real-authentication-in-nfs.html
> 
> >
> > Why would you think that ? How is the server going to know it's you,  
> > if
> > every time you connect, you have a different UID ?
> 
> I'd prefer to have some other mechanism for authorization.  That's the  
> core of what I'm asking.  I will poke at Kerberos a bit, and if I have  
> success setting it up, I will probably go with it.  If it seems too  
> involved for my simple little network, then I'll get busy changing uids.
> 
> >
> > You wouldn't give a different name at different DMV offices would  
> > you ?
> 
> To me, the better question is 'you wouldn't believe anyone having ID #  
> 1000 is guaranteed to be the same person, would you?'.
----
nfs4 uses kerberos, nfs3 does not.

NFS is secure if you take the time/energy to make it secure but if the
LAN itself is not secure, NFS probably is not the greatest
concern...especially when considering that the discussion involved your
home LAN.

Kerberos by itself won't fix the issues with identity and uid numbers -
that would take an implementation of both LDAP and Kerberos.

Craig