I don't know how this was accomplished, but at my university (using hpux) there was a way to register ip addresses with the hardware address of an individual ethernet card. The only way you could get ethernet access was to register your hardware address. If you tried switching your ethernet cards in your computer, you would have to re-register your new hardware address. So there must be some kind of way to check/supply this hardware address over the network. *************************** * Doug Gray * * dag@umr.edu * * http://www.umr.edu/~dag * *************************** On Fri, 30 Jul 1999, F. Steiner wrote:
Hi,
we just considered the following problem: Assume that a file system (let's say home directories of users) is exported from a server to some other computers (like in every university for instance).
Now one comes with his laptop to the university, plugs one computer off, gives his laptop the ip of the unplugged computer and creates a user on his laptop that exists in the university domain with the identical name and id.
Now the file system is exported to his laptop, too, because it has an ip from a university computer, and then the faker should be able to read and write the home directory of the user which he created, because NFS does not check the passwords but only the user id.
We tried that and it did work. This is indeed a huge problem, because it looks like we cannot prevent any student from doing this, i.e. installing a user for instance with name and id of a professor, and then having access to the professors home directory.
Has anyone any idea how to prevent this??? Can NFS be told to check passwords during mounting? For example, rlogin would not work in the situation constructed above because it would realize the user having two different passwords. But can NFS be told to do that?
Thx for any help!
Best, Frank
-- Frank Steiner mailto:steiner@informatik.rwth-aachen.de http://www-i2.informatik.rwth-aachen.de/steiner/
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com