Hi, we just considered the following problem: Assume that a file system (let's say home directories of users) is exported from a server to some other computers (like in every university for instance). Now one comes with his laptop to the university, plugs one computer off, gives his laptop the ip of the unplugged computer and creates a user on his laptop that exists in the university domain with the identical name and id. Now the file system is exported to his laptop, too, because it has an ip from a university computer, and then the faker should be able to read and write the home directory of the user which he created, because NFS does not check the passwords but only the user id. We tried that and it did work. This is indeed a huge problem, because it looks like we cannot prevent any student from doing this, i.e. installing a user for instance with name and id of a professor, and then having access to the professors home directory. Has anyone any idea how to prevent this??? Can NFS be told to check passwords during mounting? For example, rlogin would not work in the situation constructed above because it would realize the user having two different passwords. But can NFS be told to do that? Thx for any help! Best, Frank -- Frank Steiner mailto:steiner@informatik.rwth-aachen.de http://www-i2.informatik.rwth-aachen.de/steiner/
On Fri, 30 Jul 1999, F. Steiner wrote:
Has anyone any idea how to prevent this??? Can NFS be told to check passwords during mounting? For example, rlogin would not work in the situation constructed above because it would realize the user having two different passwords. But can NFS be told to do that?
Hello Frank, I had the same problem some years ago. The solution was "cipe" (Crypto IP Encapsulation, http://sites.inka.de/sites/bigred/devel/cipe.html) from Olaf Titz. I think, there is now also a cipe-package in the SuSE-Dis. If you want, I can send you my configuration as an example later (it's at home)! It's a little bit like this (I forgot the details): you export a filesystem to an IP (one of the free ones, that are not routed...), which is tunneled (and the IP package encrypted) to the nfs-clients IP. On the clients side it's almost the same. En- and decrypting is done via keys on the harddisk of client and server, and students won't have access to them! Excuse, I used this a long time ago, if you need details (free IP-numbers etc), I will be able to send them saturday! Cheers, Peter
I don't know how this was accomplished, but at my university (using hpux) there was a way to register ip addresses with the hardware address of an individual ethernet card. The only way you could get ethernet access was to register your hardware address. If you tried switching your ethernet cards in your computer, you would have to re-register your new hardware address. So there must be some kind of way to check/supply this hardware address over the network. *************************** * Doug Gray * * dag@umr.edu * * http://www.umr.edu/~dag * *************************** On Fri, 30 Jul 1999, F. Steiner wrote:
Hi,
we just considered the following problem: Assume that a file system (let's say home directories of users) is exported from a server to some other computers (like in every university for instance).
Now one comes with his laptop to the university, plugs one computer off, gives his laptop the ip of the unplugged computer and creates a user on his laptop that exists in the university domain with the identical name and id.
Now the file system is exported to his laptop, too, because it has an ip from a university computer, and then the faker should be able to read and write the home directory of the user which he created, because NFS does not check the passwords but only the user id.
We tried that and it did work. This is indeed a huge problem, because it looks like we cannot prevent any student from doing this, i.e. installing a user for instance with name and id of a professor, and then having access to the professors home directory.
Has anyone any idea how to prevent this??? Can NFS be told to check passwords during mounting? For example, rlogin would not work in the situation constructed above because it would realize the user having two different passwords. But can NFS be told to do that?
Thx for any help!
Best, Frank
-- Frank Steiner mailto:steiner@informatik.rwth-aachen.de http://www-i2.informatik.rwth-aachen.de/steiner/
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Fri, 30 Jul 1999, Doug wrote:
I don't know how this was accomplished, but at my university (using hpux) there was a way to register ip addresses with the hardware address of an individual ethernet card. The only way you could get ethernet access was to register your hardware address. If you tried switching your ethernet cards in your computer, you would have to re-register your new hardware address. So there must be some kind of way to check/supply this hardware address over the network.
But don't forget: The "evil student" could easiely sniff the NFS file- handels and then mount the directories from the NFS server. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = E3 42 DA D1 3B 9C 23 D0 93 1F B8 2E 6B 9A 45 82
On Fri, 30 Jul 1999, Doug wrote:
I don't know how this was accomplished, but at my university (using hpux) there was a way to register ip addresses with the hardware address of an individual ethernet card. The only way you could get ethernet access was to register your hardware address. If you tried switching your ethernet cards in your computer, you would have to re-register your new hardware address. So there must be some kind of way to check/supply this hardware address over the network.
Ethernet uses the HW adress to decide whether an packet is for the card or not. This way it works independently from the protocol on top (IPX, IP, Appletalk...). There are ARP-Queries to ask for the HW-Adress when the IP-Adress is known. To recieve packets that are not for your machine, most ethernet adapters can be switched in a so-called promiscous mode. This allows the computer to recieve and send packets with different HW adresses, e. g. bridges often use this. With some cards, its even possible to change builtin HW adress by manipulating the flash ROM. So this method works for most of cases, but is not really safe when the user knows what to do. -- \ markus schaber -- http://www.schabi.de/ -- ICQ# 22042130 / ---------------------------------------------------------- \ Warum umständlich, es geht doch auch kompliziert! / \ (Eva Maria Schaber) --------------------------------
Has anyone any idea how to prevent this??? Can NFS be told to check passwords during mounting?
Sounds like AFS or CODA (http://www.coda.cs.cmu.edu/) might be what you are looking for. Martin -- Dr. Martin Kroeker, daVeg GmbH Darmstadt CAD/CAM/CAQ mk@daveg.com Precision Powered by Penguins
Here is one idea, Instead of using a software solution, what about hardware. The computer must be physically attached to the network. Some switches and routers have the ability to map ip to mac addresses. This means that if you unplug the regular machine and plug in the fake machine, then the switch or router will reject it. MAC addresses are harder to spoof. Hmmm.. Gues the hacker could carry around an eprom burner and burn a new mac address on his network card. Anyways, it is just an idea. John On Fri, 30 Jul 1999, F. Steiner wrote:
Hi,
we just considered the following problem: Assume that a file system (let's say home directories of users) is exported from a server to some other computers (like in every university for instance).
Now one comes with his laptop to the university, plugs one computer off, gives his laptop the ip of the unplugged computer and creates a user on his laptop that exists in the university domain with the identical name and id.
Now the file system is exported to his laptop, too, because it has an ip from a university computer, and then the faker should be able to read and write the home directory of the user which he created, because NFS does not check the passwords but only the user id.
We tried that and it did work. This is indeed a huge problem, because it looks like we cannot prevent any student from doing this, i.e. installing a user for instance with name and id of a professor, and then having access to the professors home directory.
Has anyone any idea how to prevent this??? Can NFS be told to check passwords during mounting? For example, rlogin would not work in the situation constructed above because it would realize the user having two different passwords. But can NFS be told to do that?
Thx for any help!
Best, Frank
-- Frank Steiner mailto:steiner@informatik.rwth-aachen.de http://www-i2.informatik.rwth-aachen.de/steiner/
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi, On Fri, 30 Jul 1999, John Alcock wrote:
Instead of using a software solution, what about hardware. The computer must be physically attached to the network. Some switches and routers have the ability to map ip to mac addresses. This means that if you unplug the regular machine and plug in the fake machine, then the switch or router will reject it.
MAC addresses are harder to spoof. Hmmm.. Gues the hacker could carry around an eprom burner and burn a new mac address on his network card.
MAC addresses are user "settable" on AIX. you can simply enable "alternate MAC address" and type whatever you wish. of course, you will have to know what MAC to type in ;-) just a remark, -alexm the bandwidthwaister
"F. Steiner" wrote:
For example, rlogin would not work in the situation constructed above because it would realize the user having two different passwords.
This is not correct when users may login from trusted hosts without entering their password. The rlogin daemon checks passwords only in the cases where they must explicitly be entered by the user. In short authentication without asking for a password is done by rlogin using the following checks: 1. The client's port number must be in the priviledged port range (below 1024). 2. The client's host must be listed in /etc/hosts.equiv or in the local users .rhosts file. (See `man rlogind' for a more detailed description.) So the authentication mechanism of rlogin relies on IP addresses, too. There is no more protection against spoofed IP addresses than with NFS. A more secure way for remote logins is the secure shell (ssh) which is able to authenticate users or hosts using public key cryptography. Eilert Brinkmann -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Eilert Brinkmann E-Mail: eilert@tzi.de Universitaet Bremen eilert@informatik.uni-bremen.de FB3 / Informatik eilert@linuxfreak.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
F. Steiner schrieb:
.........
Has anyone any idea how to prevent this??? Can NFS be told to check passwords during mounting? For example, rlogin would not work in the situation constructed above because it would realize the user having two different passwords. But can NFS be told to do that?
All i can tell you is to use the arpwatchd and afs or coda instead of nfsd. Something els comes to my mind but i can't tell if it is good or not. include in the system wide shell cfg scripts some md5 checker which checks some files on the client. if the sums dont match exclude this ip from the export list and khup nfsd. cyas
participants (10)
-
alexm -
Doug -
Eilert Brinkmann -
F. Steiner -
John Alcock -
Markus Schaber -
mk@daveg.com -
Peter Münster -
Stefan V�lkel -
Thomas Biege