[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference lassie::ucx

Title:DEC TCP/IP Services for OpenVMS
Notice:Note 2-SSB Kits, 3-FT Kits, 4-Patch Info, 7-QAR System
Moderator:ucxaxp.ucx.lkg.dec.com::TIBBERT
Created:Thu Nov 17 1994
Last Modified:Fri Jun 06 1997
Last Successful Update:Fri Jun 06 1997
Number of topics:5568
Total number of notes:21492

5497.0. "Secure NFS ?" by KETJE::STAES (Topless = No brains at all) Mon May 12 1997 04:11

Hi,

Does UCX offer the possibility to perform 2-way authentication before
binding/mounting a file system like is done in Secure-NFS?

Regards,
Nand.
T.RTitleUserPersonal
Name		DateLines
5497.1noLASSIE::CORENZWITstuck in postcrypt queueMon May 12 1997 10:296
    No.  If this is a revenue-related question, you should contact the
    Product Manager, at present Barbara (DELNI::)Karten.  If Secure-NFS is
    the same thing as NFS with Kerberos support, better say that, and if
    not say what Secure-NFS is.
    
    Julie
5497.2It's about Sun Solaris NFSKETJE::STAESTopless = No brains at allTue May 13 1997 08:3943
Apologies.

I should have started with the question "does anyone know what Secure-NFS
is"?  I used this terminology, because that is how my customer called it.

In the meantime I found out that it refers to the authentication services
available for NFS on Sun Solaris.


from:		http://www.sun.com/solaris/desktop/nfs_15.html#86853


		Solaris Products
		NFS Security

		.../...

                Authentication Services

                An authentication service provides a mechanism for
                checking a users's network "identification" to make sure
                they are who they claim to be before being allowed to
                use resources. NFS can be configured to utilize two
                authentication services: one based on the Diffie-Hellman
                key exchange protocol and one using Kerberos. In
                addition, NFS can also utilize a simple authentication
                mechanism that is referred to as "Unix-style"
                authentication. NFS is able to utilize multiple
                authentication "flavors" by virtue of the fact that they
                are accessible through the TI-RPC service.


So back to the start.  Do we have anything available on UCX, sorry, TCP/IP
services for OpenVMS, which can handle this type of authenticated service
requests?

This would provide a more secure alternative to FTP file transfers which
are forbidden - by policy - on that specific part of the customer's network.

But I'm afraid the answer is still "no".  Or not?

Regards,
Nand.
5497.3Can it be created?EVMS::EVERHARTTue May 13 1997 12:3011
    There is a TCP Wrappers for UCX. Can it be used to force a run of
    some hand written authenticator before allowing an nfs hookup?
    Such an authenticator might set some dynamic identifiers or clear
    them, if there can be a separate process created for an nfs
    session to which these identifiers could be added.
    
    Such an authenticator might not be what Sun has, but could
    perhaps be used to differentiate someone on a known internal
    system from total outsiders. Or is there no process context or
    the like to hang anything on to?
5497.4UCXAXP::GEMIGNANITue May 13 1997 15:128
    There is currently no way to do this (with the UCX releases which are
    available).  The item (you referenced) eluded to TI-NFS (probably using the
    transport-independent RPC).  NFS could conceivably accept relayed
    requests from an intermediary, but not in its current form, as there is
    host verification which is performed.
    
    We are investigating several possibilities for a future release of the
    product.