I think the real question is: Is SMB1 less secure than NFS?

zaarn · on Feb 10, 2020

Probably not since NFS to my recollection barely support anything resembling transport encryption, but it allows Authentication if you like Kerberos.

lokedhs · on Feb 10, 2020

NFS has supported transport encryption since as long as I can recall. It's enabled by the sec=krb5p mount option.

fulafel · on Feb 10, 2020

It can also be secured using IPsec (or other host-to-host supporting vpn that can have per protocol security associations)

zaarn · on Feb 10, 2020

SMB doesn't require me to setup a whole VPN connection (with it's own problems) just to get secure transport going.

fulafel · on Feb 10, 2020

True. But neither does NFS like the kerberos comment you replied to described :)

A third way to do this with NFS is to forward the TCP connection over stunnel, ssh forwarding or other similar thing.

zaarn · on Feb 10, 2020

As mentioned, if you like Kerberos. It's not the nicest way to do anything. Kerberos is also only supported if you (can) use NFSv4, NFSv3 doesn't support Kerberos on all clients.

justryry · on Feb 10, 2020

NFSv3 is very dead.

I like Kerberos a good bit and I think the complexity of running an LDAP/Kerberos infrastructure is greatly over estimated, but it is disappointing that none of the theorized alternatives ever really appeared. Last I read, LIPKEY was the only serious contender and there were some security concerns that got it nixed.

MrMorden · on Feb 10, 2020

And if you don't use Kerberos, NFS has no authentication. For extra credit, it's generally paired with NIS, so everyone can see everyone else's password hashes. What's not to like for an attacker?