Date: Thu, 19 Oct 2017 00:32:48 +0100 From: Gary Palmer <gpalmer@freebsd.org> To: Benjamin Kaduk <kaduk@mit.edu> Cc: "WhiteWinterWolf (Simon)" <freebsd.lists@whitewinterwolf.com>, freebsd-security@freebsd.org, "Ronald F. Guilmette" <rfg@tristatelogic.com> Subject: Re: WPA2 bugz - One Man's Quick & Dirty Response Message-ID: <20171018233248.GB96120@in-addr.com> In-Reply-To: <20171018224344.GA96685@kduck.kaduk.org> References: <32999.1508299211@segfault.tristatelogic.com> <53010303-bd65-26a1-64b9-6eefa325ca46@whitewinterwolf.com> <20171018224344.GA96685@kduck.kaduk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 18, 2017 at 05:43:44PM -0500, Benjamin Kaduk wrote: > I fear I must wade into this thread, despite it being thick with FUD. > > On Wed, Oct 18, 2017 at 07:27:42PM +0200, WhiteWinterWolf (Simon) wrote: > > Hi Ronald, > > > > Le 18/10/2017 ? 06:00, Ronald F. Guilmette a ?crit : > > > > > > In message <49252eda-3d48-f7bc-95e7-db716db4ed91@whitewinterwolf.com>, > > > "WhiteWinterWolf (Simon)" <freebsd.lists@whitewinterwolf.com> wrote: > > > > > >> Ideally, you would use a specific protection for each of these layers, > > >> so that an vulnerability affecting one layer would be compensated by > > >> other layers. > > > > > > A good point. > > > > > > Right about now, I wish that I knew one hell of a lot more about both > > > NFS and SMB than I do... and also SSH and TLS. I suspect that the > > > file sharing protocols I am most concerned about (NFS & SMB) could > > > perhaps be run in a manner such that both initial volume mounts and > > > also data blocks (to & from) the share volumes would be additionally > > > encrypted, so that I could be running everything securely, even if > > > some attacker managed to do maximally evil things to my WiFi/WPA2 > > > network. > > > > > > Do NFS and/or SMB have their own built-in encryption? > > > > No, not really. > > > > NFS has no built-in encryption, it may be possible to tunnel it but this > > is out-of-scope here (using a VPN and tunnel everything would be easier > > than nitpicking and tunnel only the NFS data flow). > > This statement is either false or highly misleading. NFS (both v3 and v4) > is an RPC protocol, and RPCSEC_GSS exists and can provide per-message > confidentiality protection. It may be true that Kerberos is basically > the only GSS-API mechanism implemented for RPCSEC_GSS, and the necessary > Kerberos setup is far more painful to set up than it needs to be, > but all modern NFS implementations support it. More specifically, for FreeBSD a very quick search finds https://wiki.freebsd.org/KerberizedNFS which includes that you can configure an export as krb5p which encrypts the payload of RPC requests. Although the article is dated this year, "man mount_nfs" shows krb5p is documented in 10.3-RELEASE so all supported FBSD versions should implement krb5p. This is probably overkill for a home setup. Regards, Gary
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171018233248.GB96120>