[7156] in Kerberos
Re: Athena style kerberized NFS on netbsd
daemon@ATHENA.MIT.EDU (Greg Wohletz)
Fri Apr 26 02:16:35 1996
To: kerberos@MIT.EDU
In-Reply-To: Your message of "26 Apr 1996 00:14:20 EDT."
<4lpiis$4m2@panix2.panix.com>
Date: Thu, 25 Apr 1996 22:59:21 -0700
From: Greg Wohletz <greg@duke.CS.UNLV.EDU>
>In article <9604251032.AA26293@MIT.EDU>,
>Greg Wohletz <greg@duke.CS.UNLV.EDU> wrote:
>>We have for several years been using Athena style knfs on our
>>sparc fileservers (running SunOS 4.x). By Athena style i am
>>refering to the nfsid program and friends. Anyway I'm about to
>>undertake porting the kernel changes into a NetBSD 1.1 kernel.
>>
>>Has anyone done this already, or done it on a similar system like
>>FreeBSD?
>
>There is already similar code in 4.4BSD-Lite and Lite2.
>
>IMHO it's not in NetBSD because it's considered nearly useless -- in the
>face of active TCP attacks as are becoming increasingly common today, you
>need at the very least a per-RPC signature, which is often more
>computationally expensive than just encrypting the whole stream in the first
>place.
>
>4.4BSD knfs is not compatible with the Athena SunOS knfs, because 4.4 knfs
>works only over TCP.
>
>If you're interested in doing a *useful* knfs implementation, I could probably
>point you at some people who have attacked it in the past.
Well useless is a bit strong I'd say. Clearly it isn't perfect, but it has
the big advantage of not requiring client side kernel modifications. That
matters alot in an environment where a mixture of various commercial OS'es
is a fact of life. I think it offers significantly more protection that
just generic NFS.
--Greg
