Re: Secure NFS

[Bear Giles <bgiles () coyotesong com>]

 > I've been wondering about this for a while now...
> Everybody knows NFS is insecure. Right. So no-one uses it. Why not simply
> modify NFS to use encryption? Why not?
>
> Not tunneling, modify the source to either (a) establish ssl connections, or
> (b) manually encrypt all traffic (I would prefer this
> one).

(I'm coming in late, so maybe this has already been mentioned.)

Standard NFS is built on top of standard RPC, and the latter is 
insecure because almost all sites support "unix authentication" at 
best.  That's user-id based, trivially forged by anyone with root 
access.

But RPC is an extensible protocol and there are a number of secure 
alternatives to Unix authentication.  RPC-DES has been around for 
years, and RPC-GSSAPI (Kerberos) almost as long.  I don't recall 
seeing RPC-PKIX (SSL), but it's an obvious extension.  Use any of 
these, and truly secure NFS falls out of it.  All you have to do 
is make a trivial change to the NFS client and server to require 
the secure alternative, plus whatever changes you need to access 
the new authentication objects.

The latter has been the killer.  It's not impossible - SecureNFS 
and SecureRPC (using DES) have been on the market for years - but 
it requires a nontrivial amount of work to set up.  The 
traditional Unix vendors could afford the investment, but the OSS 
community largely (and falsely) believes that SSH tunnels 
eliminate the need for this.  SSH tunnels might work great when 
connecting a handful of systems, but it doesn't scale well.