[TriLUG] apple file sharing protocol
Mike M
linux-support at earthlink.net
Mon Apr 12 01:00:03 EDT 2004
On Sat, Apr 10, 2004 at 12:15:29AM -0400, Tanner Lovelace wrote:
> Aaron S. Joyner said the following on 4/9/04 10:40 PM:
>
> [... lots of cool info snipped ...]
>
> >similar. If you ever get the urge to considering doing NFS over a
> >public network, don't. At least use SFS.
Good poop.
>
> Or better yet, use something built to work over WANS like AFS.
I was going to check out the AFS googles, but
this from the SFS FAQ (http://www.fs.net/sfswww/) stopped me in my
tracks:
NFS, for example, transmits secret file handles in every file system
request. An attacker who learns the file handle of even a single
directory can access the entire file system as any user. AFS, another
widely-used network file system, does not keep the contents of private
files secret from network eavesdroppers. Moreover, AFS uses an insecure
message authentication code (MAC) to protect the integrity of
communication between clients and servers. An active attacker can, with
very little computation, tamper with and change the contents of AFS
messages in transit. Coda has approximately the same security
properties as AFS.
>
> I'll also add that the reason I suggested Samba instead of NFS
> was that even though NFS is easy to setup on Linux, it's not
> quite as easy to setup on OS X. I run NFS at home and it
> works fine. Performance isn't an issue, but then again,
> I don't have a lab full of machines.
Me too. Lot's of machines with one user is OK for NFS too. Not
much security risk either. OTH, I've been training myself
to go secure whenever I can. I use ssh and scp in my one-man
lab.
Now I am wondering if Samba is a security hole?
Samba on LInux is not so bad. Sounds like the alternative (NFS on OSX) is
awful. Probably get more better free help on Samba/Linux than
OSX/NFS too.
--
Mike
Moving forward in pushing back the envelope of the corporate paradigm.
More information about the TriLUG
mailing list