Home > General > NFS Authentication

NFS Authentication

Few vendors as well support the version of the NFS based on the Secure RPC that generally addresses a lot of problems with the authentication, giving good authentication of client machine & user. The Secure RPC has many problems, which as well apply to the NFS implemented on the top of that:

 

  1. It is not supported widely; it is accessible exclusively on the Suns.
  2. Process of exchanging the keys between the machines is very difficult.
  3. It will not perform and standard RPC. (the NFS is mainly performance sensitive.)
  4. Sizes of public keys are very small.

 

NFS was designed originally to get used within the local networks for the file sharing, and though it is tuned to work at the network, which has delays, and it is not very safe to allow over the firewall for different reasons. The NFS’s main safety problems are:

 

  • NFS server generally relies on IP address to authenticate the client hosts, and making that vulnerable to address the forgery.
  • NFS server generally relies on client to authenticate user, and making that vulnerable to user that has compromised the client machine.
  • NFS server does not recheck client authentication on each request. Server assumes in case, client makes use of valid file handle, client is been authorized to access file system. The attacker with the forged and captured file handle will access file system as simply as the legitimate client can.

 

Primary problem with the NFS is weak authentication of the requests. And access to the given NFS exported file system is nothing; either the given machine is checked and trusted to access file system, or it is not. In case, server trusts the given client machine, server thinks whatever client tells about who tries to access which of the files. It uses this information for the authorization according to standard Unix file mechanisms (that is, user, group or other permissions).

 

Server’s trust in client is also established when client mounts a file system from server. In order, to mount the file system the client sends the mount request having name of file system to mounted RPC service on server as well as asks for the permission to mount that. Mountd service generally checks if client is been allowed to access this file system, by using source IP address of a request to identify a client.

 

Categories: General Tags:
  1. No comments yet.
  1. No trackbacks yet.