[clug] Super Dumb question. Network filesystems... (linux Digest, Vol 88, Issue 35, Message 3)

steve jenkin sjenkin at canb.auug.org.au
Tue Apr 27 15:50:04 MDT 2010 

I was telling a mate about this thread yesterday when The Blindingly
Obvious stuck me.

You want 'cipher-none' and really zippy *and* easy transfers - in an
environment where you don't care about security?
Already there....

'rsh' & 'rcp' - the original BSD 'r' (remote) commands.

They've been deprecated for general use because they are so easily
compromised.
And replaced by SSH, which the OpenSSH people like to tell us "has never
been broken into". [kinda, sorta]

Discuss.
[My notes below]

Miles Goodhew wrote on 26/04/10 12:12 PM:
>> Date: Sun, 25 Apr 2010 15:23:04 +1000
>> From: Carlo Hamalainen <carlo.hamalainen at gmail.com>

> ...
>> I tried copying a 690Mb file from the SheevaPlug to my EEEPC using
>> sshfs. CPU usage hovered around 40% on the SheevaPlug. I timed it four
>> times:
> 
>   At the risk of just firing-off half-baked musings into the list,
> it's struck me many times in the past that it'd be nice if SSH and
> friends allowed an unencrypted mode (in the same way that compression
> can be turned on and off).
>   When operating on a secure network with low-risk data and possibly
> underpowered/overloaded processing nodes, it'd be nice to be able to
> do away with the encryption overhead sometimes. The general
> improvement in capability of SSH over RSH and the like are worth it on
> their own right (e.g. tunneling, SSHFS and SFTP modes).
> 
> There ya go.
> 

Before the ramble, a positive suggestion for a composite rsh/ssh solution:
- never allow 'rhosts' or rshd run on your important machines,
   only on devices further out in the 'rings of security'.
- ssh can easily be used to move an 'rhosts' into place and start an
  'rshd' daemon - but you'd hope 'rshd' can be run so it accepts one
  connection then exits.
- Ideally you'd also try remapping ports from 514/tcp
  - and use something like 'tcpwrapper' to do more
- I can't believe there isn't a kerberised or similar rshd out there...
  - In OS/X /etc/services there's mention of port 221 of "with SPX auth"
    [a PAM modules available?]
- ya gotta be *really* sure this is what you want to do...

In this modern world of 'Hacking for Profit', if your network is
attached to the Wild Wild Web (those Pesky Public InterWebs PPIW),
then you have to assume that at some point you'll have a break-in...

BUT, since 2004 when "the Hackers turned Pro", they aren't going to
advertise their presence - not until they have you locked up in they are
going for 'ransom-ware'.

Nothing nicer for an attacker than "Fat, Dumb and Happy" guys up the
pointy end... If you're complacent and self-satisfied then you're much
less likely to look for problems, and if you see them, your brain will
find good ways to dismiss evidence (cognitive dissonance).

It comes down to your individual level of paranoia and your attitude to
Risk vs Cost ($$, time, complexity, ...).

Yes, Virginia, there is Pretty Close to Perfect Security, it's called
SSH, but it doesn't come free. It takes CPU cycles to do the encryption.

regards
steve


-- 
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin

More information about the linux mailing list