From: Jim Rees <rees@umich.edu>
To: Simo Sorce <simo@redhat.com>
Cc: linux-nfs <linux-nfs@vger.kernel.org>,
Steve Dickson <steved@redhat.com>,
Jeffrey Layton <jlayton@redhat.com>
Subject: Re: [PATCH] Avoid PTR lookups when possible
Date: Tue, 2 Apr 2013 12:46:31 -0400 [thread overview]
Message-ID: <20130402164631.GA23840@umich.edu> (raw)
In-Reply-To: <1364919975.2660.1255.camel@willson.li.ssimo.org>
Simo Sorce wrote:
It's a MITM setting.
Suppose you have 2 servers:
secure.server.name where you store confidential documents
public.server.name where everyone have access for reading (and you can
write)
If you mount -t nfs secure.server.name/export and rely on PTR records
and an attacker can spoof your PTR request to return public.server.name
you will end up acquiring a ticket for public.server.name from the KDC.
Then the attacker will redirect your mount to public.server.name all the
while you think you have mounted secure.server.name
Now anything you copy there goes to a public server instead of your
secure server.
Now imagine your secure server is a backup server which gets mounted by
a cron job every night for backups of sensitive information.
I guess what you're saying is that the client might not know the full name
of the secure server, and could be tricked into thinking it's
public.server.name. That's not what I'd call mitm; kerberos is pretty much
immune to mitm. It's not really a dns mitm either, it's a spoofed reply.
I would be in favor of requiring kerberized nfs clients to know the full
name of the server they're trying to connect to. Kerberized nfs clients
should not be relying on dns for any part of their security. But I guess we
haven't been doing that, and to make that a requirement now would be a
compatibility problem.
next prev parent reply other threads:[~2013-04-02 16:46 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-02 13:45 [PATCH] Avoid PTR lookups when possible Simo Sorce
2013-04-02 14:17 ` Jeff Layton
2013-04-02 15:00 ` Jim Rees
2013-04-02 16:26 ` Simo Sorce
2013-04-02 16:46 ` Jim Rees [this message]
2013-04-02 17:03 ` Simo Sorce
2013-04-02 18:39 ` Jim Rees
2013-04-02 18:48 ` Simo Sorce
2013-04-02 18:53 ` Jim Rees
2013-04-02 19:02 ` Simo Sorce
2013-04-03 13:44 ` J. Bruce Fields
2013-04-03 14:40 ` Jim Rees
2013-04-03 16:03 ` Simo Sorce
2013-04-03 17:12 ` J. Bruce Fields
2013-04-03 18:12 ` Simo Sorce
2013-04-03 18:20 ` J. Bruce Fields
2013-04-02 15:18 ` Steve Dickson
2013-04-02 15:51 ` Chuck Lever
2013-04-02 16:29 ` Simo Sorce
2013-04-02 20:21 ` Chuck Lever
2013-04-02 20:33 ` Simo Sorce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130402164631.GA23840@umich.edu \
--to=rees@umich.edu \
--cc=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=simo@redhat.com \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.