WPA2 bugz - One Man's Quick & Dirty Response
Gary Palmer
gpalmer at freebsd.org
Wed Oct 18 23:32:58 UTC 2017
On Wed, Oct 18, 2017 at 05:43:44PM -0500, Benjamin Kaduk wrote:
> I fear I must wade into this thread, despite it being thick with FUD.
>
> On Wed, Oct 18, 2017 at 07:27:42PM +0200, WhiteWinterWolf (Simon) wrote:
> > Hi Ronald,
> >
> > Le 18/10/2017 ? 06:00, Ronald F. Guilmette a ?crit :
> > >
> > > In message <49252eda-3d48-f7bc-95e7-db716db4ed91 at whitewinterwolf.com>,
> > > "WhiteWinterWolf (Simon)" <freebsd.lists at whitewinterwolf.com> wrote:
> > >
> > >> Ideally, you would use a specific protection for each of these layers,
> > >> so that an vulnerability affecting one layer would be compensated by
> > >> other layers.
> > >
> > > A good point.
> > >
> > > Right about now, I wish that I knew one hell of a lot more about both
> > > NFS and SMB than I do... and also SSH and TLS. I suspect that the
> > > file sharing protocols I am most concerned about (NFS & SMB) could
> > > perhaps be run in a manner such that both initial volume mounts and
> > > also data blocks (to & from) the share volumes would be additionally
> > > encrypted, so that I could be running everything securely, even if
> > > some attacker managed to do maximally evil things to my WiFi/WPA2
> > > network.
> > >
> > > Do NFS and/or SMB have their own built-in encryption?
> >
> > No, not really.
> >
> > NFS has no built-in encryption, it may be possible to tunnel it but this
> > is out-of-scope here (using a VPN and tunnel everything would be easier
> > than nitpicking and tunnel only the NFS data flow).
>
> This statement is either false or highly misleading. NFS (both v3 and v4)
> is an RPC protocol, and RPCSEC_GSS exists and can provide per-message
> confidentiality protection. It may be true that Kerberos is basically
> the only GSS-API mechanism implemented for RPCSEC_GSS, and the necessary
> Kerberos setup is far more painful to set up than it needs to be,
> but all modern NFS implementations support it.
More specifically, for FreeBSD a very quick search finds
https://wiki.freebsd.org/KerberizedNFS
which includes that you can configure an export as krb5p which
encrypts the payload of RPC requests. Although the article is dated
this year, "man mount_nfs" shows krb5p is documented in 10.3-RELEASE
so all supported FBSD versions should implement krb5p.
This is probably overkill for a home setup.
Regards,
Gary
More information about the freebsd-security
mailing list