Agreed in most points. Basically NFS's power and weakness is it trusts the IP network it is on, and that is all. It works great for a secured Data center network where all machines are hidden behind a firewall and can somewhat trust each other and there is no public access. Not so good at all for public mounting. It's too bad too, because if someone ever came up with an NFS that required a simple certificate verification handshake upon connection, (so the nfs daemons didnt trust the network, they trusted the certficiate) then it would be much better and safer to use in public area. Just my 2 cents worth. Wayner P.S. root_squash means that root on the local machien does NOT have root access to the nfs drives. Unfortunately nothing stops you from faking the userid of other users on your linux distribution on your laptop, then filesharing into their files once your laptop is on the network. >>> vzlatkin@xxxxxxxxxx 08/31/06 9:26 am >>> Certainly a vague question. I think of it from the perspective of how hard is it for me to see someone else's nfs data. The answer is: very easy. Take a common scenario where many users mount their home directory via nfs, and you use root_squash. To gain access to a user's data all you need is root on a machine that can mount any home directory. Then just su - [username] and you'll have access. Some magic required, but that is pretty insecure. I've never tried nfs over ssh, but I know you can restrict the different nfs components to use a specific port instead of portmap. Therefore, it should be possible to do nfs over ssh. -Vlady Miner, Jonathan W (CSC) (US SSA) wrote: > Hi - > > Asking if something is "secure" is a pretty vague question... Whether your system is secure or not depends on how you are using it, and what level of security you need. I can't speak for NFSv4 yet. > > See the manual page for /etc/exports to learn how to restrict who can mount your filesystems, read-write or read-only, and whether the clients' root account has privs or not. > > You could even use iptables (or another firewall) to restrict clients. > > NFS does not encrypt traffic, but it might be possible to run NFS over an VPN or SSH-tunnel. > > > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx on behalf of Shekhar Dhotre > Sent: Thu 08/31/2006 08:58 AM > To: General Red Hat Linux discussion list > Cc: > Subject: RE: is NFS secure ? > > So, NFS versions before NFSv4 were not secure right ? > > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Anze Vidmar > Sent: Thursday, August 31, 2006 8:53 AM > To: General Red Hat Linux discussion list > Subject: Re: is NFS secure ? > > On Thu, 2006-08-31 at 08:48 -0400, Shekhar Dhotre wrote: > >> OK , Is NFS secure ? > NFSv4 is. > > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
