[OpenAFS] Re: [SAGE] Code to demo NFS/UDP weakness?

Skylar Thompson skylar@cs.earlham.edu
Wed, 02 Aug 2006 09:49:12 -0700

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Daniel Clark wrote:
> On 8/2/06, Skylar Thompson <skylar@cs.earlham.edu> wrote:
>> Daniel Clark wrote:
>> > I'm putting together a "NFSv3 is disgustingly insecure, we should mo=
>> > to OpenAFS" type presentation for my management [1]. I've found
>> > explanations to be less than completely understood, so I've decided =
>> > put together a demo.
>> >
>> This seems like a bit of an overreaction. Why not just Kerberize your
>> NFS setup? You'll have to setup Kerberos anyways for AFS, and AFS can =
>> a PIA to work with.
> Because Kerberized NFSv3 was never standardized or widely implemented,
> or well documented across vendors.Here is a partial list of all of
> the platforms we need to support; I have verified working IBM or
> OpenAFS clients on almost all of them:
> AIX 4.3.1, 4.3.3, 5.1, 5.2, 5.3
> GNU/Linux: Debian Woody and later
> GNU/Linux: Redhat 6.0 and later, RHEL 3 and later
> GNU/Linux: SuSE SLES8 and later
> GNU/Linux: Ubuntu Breezy Badger and later
> GNU/Linux: United Linux 1.0
> Solaris/sparc: 2.6, 7, 8, 9, 10
> Solaris/x86: 10

With this system list, I can see where AFS might be better. You might
also check NFSv4, though.

> If you can point me to a site describing how to set up Kerberized
> NFSv3 across all of these platforms, I'd love to see it.

I know the Linux one here:


> Also I'm not a Kerberized NFSv3 expert, but it would be hard for me to
> believe that it would solve *all* of the numerous NFSv3 security
> problems.
>> Where I work, we're moving off AFS to Kerberized NFS because AFS can b=
>> difficult to work with.
> You must have limited platform support requirements :-)

Indeed. In fact, I come from a FreeBSD environment where AFS isn't even
an option. ;)

> I've also admined both, and have had far more problems with NFSv3,
> esp. with things sort-of-but-not-really working in difficult-to-debug
> ways, weird performance issues, and the automounter code, which is
> different for each platform, can work in inconsistant ways, and often
> requires a reboot of the machine to fix.

I find that sticking with server platforms with known-good NFS
implementations (i.e. not Linux) and UDP is a good approach. FreeBSD and
Solaris have both done well in my experience. The Linux NFS server
implementation has given no end of problems.

-- Skylar Thompson (skylar@cs.earlham.edu)
-- http://www.cs.earlham.edu/~skylar/

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.3 (SunOS)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org