[OpenAFS] The Illusion of Security
Rodney M Dyer
rmdyer@uncc.edu
Mon, 18 Aug 2003 11:16:37 -0400
At 08:34 AM 8/18/2003 -0400, Sam Hartman wrote:
>It's probably a good idea to at least copy one of the MIT Kerberos
>lists on bugs yu find in our code. We don't tend to read the OpenAFS
>lists and we don't suddenly become aware of issues that aren't brought
>to our attention.
I was actually very close to doing that until I got mail from my MIT friend
that said the problem was intentional.
> Let's assume that MIT's kinit for KFW did accept passwords on
> stdin. Would you have had to modify any of the AFS code or is
> there already a facility for starting a shell during the afs login
> process?
Smart, you've caught me. There is no built-in facility for starting a
shell in OpenAFS. I make a small change to "afslogon.c" to exec a shell at
the point where K4 authentication is normally done. This small change
requires no extra compile-time headers, or run-time dependencies. This is
known as the AFSLogonShell. See...
http://www.coe.uncc.edu/~rmdyer/afslogonshell.htm
Frankly, I'd love to see this "shell" facility added into OpenAFS. It
actually makes AFS on Windows much easier to manage because it solves -so-
many problems. Example...
1. K5 authentication can be done using "off-the-shelf" binaries..."kinit"
& "aklog". I can override the internal K4 authentication if I want, or
allow the error status to be processed.
2. Roaming profiles are easier to setup.
3. Folder redirection is much less complicated to setup.
4. The AFS service and global drive can be tested at user logon.
5. Quota and user volumes can be checked at logon.
6. The shell exec can be configured to call any scripting language
interpreter or process.
Without the shell feature we are limited to the current K4 authentication
of "afslogon.c" and there's no way to perform any logon scripting before
the user's process space has been init'ed. Microsoft's logon scripting is
limited to the post-init environment. At that point, folder redirection is
all but impossible to setup.
I could rave all day about how much I like the "shell" feature, it doesn't
change the fact that anyone can download the code and do what I did. The
"afslogon.dll" file is simply a Microsoft logon provider. There isn't
really anything special about the fact that it does AFS
authentication. It's just a DLL file that exports certain functions to the
Winlogon process. You can add multiple logon providers just like you can
glue together pam modules. I "could" have written my own logon provider
DLL and "shelled" out of that. That wouldn't have been any different. I
just thought, hey, why write my own, here's a perfectly good one that ships
with OpenAFS. All the logon providers "get" the plaintext password.
Why can't you guys modify "kinit" so that it check to see of the username
is "system"? If it is, then you allow the pipe, if not, then dont. Simple
enough? Oh, not so simple, this won't work on Win9x series...
Rodney