8 Jun 2001 nmw   » (Journeyer)

gary: Secure NFS is already here. Sun designed a GSS authentication flavor for ONC RPC based on work done at OpenVision. The OpenVision version (which MIT uses in their Kerberos V admin tool) is called AUTH_GSSAPI, whereas Sun's is called RPCSEC_GSS (there's other differences too :)

So now you can use RPCSEC_GSS for NFS authentication, which means you can use any GSS mechanism for which you have a plug-in (Sun supports the old Diffie-Hellman based NIS+ system, new variations of that with longer keys and Kerberos V). Specifications for other GSS mechanisms exist; see the IETF RFC Search and the RFC draft repository (search for GSS and Generic Security Service).

Because RPCSEC_GSS does not change existing ONC RPC protocols it can be used to secure NFSv2 and NFSv3. But software changes are needed.

Solaris 2.6, 7 and 8 all support RPCSEC_GSS and secure NFS.

NFSv4 also uses RPCSEC_GSS and, as part of the NFSv4 for Linux initiative a Linux implementation of RPCSEC_GSS is already available for Linux. I haven't followed the Linux NFS situation very closely, but it might be possible to do secure NFS with Linux now or, if not now, soon.

NFSv4 probably shouldn't be called NFS anymore. It fixes all/most of the NFSv[23] problems. For example, NFSv4 is stateful (i.e., it has open/close calls), using a variation on the BSD NQNFS file leasing approach; it supports NFS proxies; NT-style ACLs; NT-style open modes; compound RPCs (one packet, multiple calls); the mount protocol goes away; etc...

One more thing, all of Sun's ONC RPC framework is available under the SISSL, IIRC a very liberal license which essentially says you can do whatever you want with the code, even modify and improve it while keeping your mods private, as long as you publish any extensions to the interfaces and reference code also under the SISSL.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!