Return to BSD News archive
Xref: sserve comp.sys.powerpc:31034 comp.sys.intel:27833 comp.os.misc:3645 comp.unix.bsd:15794 comp.unix.pc-clone.32bit:7949 comp.unix.sys5.r4:8996 comp.unix.misc:15379 comp.os.linux.development:21997 comp.os.linux.misc:32703 comp.os.linux.misc:32704 comp.os.386bsd.development:2957 comp.os.386bsd.misc:4631
Newsgroups: comp.sys.powerpc,comp.sys.intel,comp.os.misc,comp.unix.bsd,comp.unix.pc-clone.32bit,comp.unix.sys5.r4,comp.unix.misc,comp.os.linux.development,comp.os.linux.misc,comp.os.linux.misc,comp.os.386bsd.development,comp.os.386bsd.misc
Path: sserve!newshost.anu.edu.au!munnari.oz.au!bruce.cs.monash.edu.au!harbinger.cc.monash.edu.au!msunews!uwm.edu!math.ohio-state.edu!sol.ctr.columbia.edu!hamblin.math.byu.edu!park.uvsc.edu!news
From: Terry Lambert <terry@cs.weber.edu>
Subject: Re: Interested in PowerPC for Linux / FreeBSD / NetBSD?
Organization: Utah Valley State College, Orem, Utah
Date: Tue, 27 Dec 1994 22:06:19 GMT
Message-ID: <D1HpEL.MEx@park.uvsc.edu>
X-Nntp-Posting-Host: hecate.artisoft.com
References: <3cilp3$143@news-2.csn.net> <3d4ucp$sbn@hearst.cac.psu.edu> <SCHWARTZ.94Dec27135416@galapagos.cse.psu.edu>
Sender: news@park.uvsc.edu (System Account)
Lines: 96
schwartz@galapagos.cse.psu.edu (Scott Schwartz) wrote:
]
] Terry Lambert <terry@cs.weber.edu> writes:
] schwartz@galapagos.cse.psu.edu (Scott Schwartz) wrote:
] ] If Microsoft is clever, they'll integrate Kerberos and then loudly
] ] advertise the sad-but-true fact that unix usually doesn't use the kind
] ] of robust authentication mechanism that life on the the internet
] ] demands.
] ]
] ] Since you mention NFS, check out the latest advisory from CERT on NFS
] ] to see the impact of this foolish lack of authentication.
]
] Clearly, you have not followed the current developements in NFS if
] you believe you can't use secure-key technology.
]
] On the contrary. I have followed the current developments, and I have
] all the papers you mention. The problem is that in actual practice
] NFS almost never uses an authentication system. There's no excuse for
] that, and yet that is exactly the way most vendors ship it and most
] users run it. That's why CERT had to issue an advisory recommending a
] bunch of desperate kludges.
I beg to differ. There *IS* "an excuse for that" and that excuse is
called "existing practice".
I think you are confusing the implementation that you have (the one
evidencing existing practice) with a good implementation.
] And you are simply dreaming if you bitch about compatability when
] running the secure version of anything.
]
] There shouldn't be a "secure version", because that implies that there
] is a default version which is insecure. There should be exactly one
] version that does the right thing all of the time. Works for AFS.
] Works for Plan 9.
I'm sorry, but you can't outlaw legacy systems -- it just won't work.
This is exactly my gripe with runic encoding of Unicode data being
exported via NFS, or the assumptions made about rendering systems in
the standardization of Unicode code points. It totally ignores the
existance of legacy systems. This is also exactly the problem with
a lot of the way Plan 9 does things.
There is no implication that the "default" will be insecure, only
that an insecure version exists. One need look no farther than the
default Solaris NFS implementations requirements regarding the use
of secure ports to see that this is true -- if the "default" were to
use the older compatability mechanism, then Solaris NFS servers would
not require the priveledged port.
I can make similarly formulated (and similarly flawed) arguments that
the United States should be using the metric system for measurements.
] And no, I don't think compatability with something broken is worth it.
Vote with your $ to your vendor, and vote with your network itself
by putting the new code on it from the 4.4 Lite CDROM.
And quit complaining about Feebs using legacy systems; it's in the
nature of who they are (Feebs) and you aren't going to change it
without gene surgery.
] If you don't care to secure all of your equipment by running non-
] antiquated software, may I suggest ipfilter?
]
] That doesn't address the problem. People do want to run
] non-antiquated software, but AFS costs way too much money and rn
] doesn't run on Plan-9. I suggest that vendors ship NFS with Kerberos
] and with no way to turn authentication off.
Suggest it to the vendors. But I warn you, there's too much money
in making things "just work" for them to throw out compatability for
just you, so don't be disappointed in the lack of response.
New costs more money than old. That's why people get paid to work
on it. If people want new, they get to trade money for it (or
they can run Andrew on BSD or Linux for free, just like they can
run BSD or Linux for free) or they get to live without. Personally,
I'd like a PReP compliant (or otherwise hardware-documented) PowerPC
to do OS developement work on, but I'm not willing to trade IBM $6000
for it. You can look at that either as IBM charging too much money,
IBM selling a Workstation when they should be selling a desktop, or
as evidence of me not really wanting it enough. If the latter, I'd
lump the people in the "want secure NFS" camp into the same boat of
simply not wanting it enough.
Or you can do your bit for humanity and write public domain software
to address the problem and make it self-installing so that even a
Feeb can deal with it and find yourself canonized. 8-).
Terry Lambert
terry@cs.weber.edu
---
Any opinions in this posting are my own and not those of my present
or previous employers.