[OpenAFS] Re: foreign-realm members of system:administrators
have weakened powers?
Jeffrey Hutzelman
jhutz@cmu.edu
Fri, 27 Jan 2006 15:03:30 -0500
On Friday, January 27, 2006 10:54:40 AM -0500 Ken Hornstein
<kenh@cmf.nrl.navy.mil> wrote:
> What do people think about the idea of having an AFS RPC which said,
> "Hey, what's your Kerberos realm?" This would have to be done
> unauthenticated of course, so I don't see it being any better from a
> security standpoint, but it would solve this particular problem, and it
> really makes more sense.
Well, it would be better than inferring it from dbserver hostnames, when
you get those hostnames from the DNS. It would _not_ be better when you
get the names from a CellServDB, if that comes from a trusted source. I
imagine that most sites use a mixture of CellServDB records from both
trusted and untrusted sources (I do not consider the GCO Public CellServDB
to be a trusted source, from a security standpoint, even though I maintain
it).
My real concern with an approach such as you describe (which has been
suggested before) is that it would end up being blindly deployed in
situations where it is _not_ safe, which I suspect is a lot of them, and it
would encourage people to rely on "easier" insecure configurations even
when they have the ability to make it work right.
Security software that "just works" out of the box by defaulting to an
insecure configuration is not security software at all; it is
false-sense-of-security software.
Moving forward with new authentication technologies that are in the works,
the cell-to-realm mapping issue is going to continue to be a problem. We
can take care of the issue of obtaining dbserver names from untrusted
sources, even if/when we adopt the use of per-server service keys.
However, we will still have to find a long-term solution to the
cell-to-realm problem. While the heuristic of doing host-to-realm mapping
on dbservers works for a large portion of deployments, it is actually
inconsistent with the model which GSSAPI and Kerberos libraries are likely
to support for domain-based service names, which would involve
"host"-to-realm mapping on the _cell_ name.
But design discussions for OpenAFS and the AFS protocols really belong in
another forum...
-- Jeff