[TriLUG] NFS/NIS/Automount/BIND
Jon Carnes
jonc at nc.rr.com
Wed Apr 23 23:26:41 EDT 2003
On Wed, 2003-04-23 at 23:01, Stephen P. Schaefer wrote:
> I also use NFS, for the same reason. But I don't delude myself that
> it's secure. Now, Sun offers kerberos authentication for NFS, and that
> would be OK. But without that (which is unavailable for Linux) anyone
> with physical access to the subnet can see whatever they want by
> spoofing packets.
>
> Suppose you've got a nice, tight workstation that only allows ssh
> logins, but uses an NFS home directory. So: I give my laptop the MAC
> address and IP address of the NFS server. I initiate an ssh connection
> to your workstation. sshd looks for $HOME/.ssh/authorized_keys, which
> I, as the spoofing NFS server happily supply to match the id_dsa private
> key I'm using for your account. You're owned. It doesn't have to work
> the first time or most of the time. It just has to work once.
>
> Oh, but physical access to the subnet is so difficult to get! you
> respond. I see. You scan your network for wireless access points
> constantly, don't you? No? Tra la la.
>
> - Stephen
>
Actually, my totally switched internal network would immediately scream
about your duplicate MAC address. And the routing trees in my Switchs
would send up a flare about the two divergent routes to the same IP.
Sorry. No owning here.
Jon Carnes
More information about the TriLUG
mailing list