[lpi-discuss] Re (snip) more personal opinion (on NFS)

[Bryan J. Smith]

On Wed, 2004-10-20 at 20:47, Matt Benjamin wrote:
> traditional NFS very much is less secure than alternatives.

When you compare a 10+ year design to the latest "alternatives," of
course.  But if you use something like SFS, which provides at least
system-level authentication as well, it can be quite sufficient.

Most advocates of CIFS/SMB ("Windows Networking") are not familiar with
_series_limitations_ of it -- both for legacy as well as even as
ADS-implemented.  IPSec and SMB Signing were two PITAs that I've had
regular issues with at a Fortune 20 company that not even the on-site
Microsoft consultants could resolve (and they told us to disable them).

> This doesn't appear to be an issue with NFSv4--but the superiority of 
> NFSv4 isn't implementation trivia, either, its security is by design.

I'm not even getting into NFSv4, which addresses more of the user-level
authentication and authorization considerations.  Now combined with SFS
and system-level authentication, it's very sufficient in comparision to
CIFS/SMB.

This discussion is not trival.  But the concepts presented on the LPIC-1
exams _are_.  The NFS concepts are basic enough that they are not only
applicable to NFS, but how UNIX/Linux platforms export and mount remote
filesystems -- which was my general argument.


-- 
Bryan J. Smith                                  b.j.smith at ieee.org 
------------------------------------------------------------------ 
"Communities don't have rights. Only individuals in the community
 have rights. ... That idea of community rights is firmly rooted
 in the 'Communist Manifesto.'" -- Michael Badnarik