[OpenAFS] with or without krb5 and openldap?

Balazs GAL balsa@rit.bme.hu
Sat, 02 Aug 2003 22:03:43 +0200 

Derek Atkins írta:
> Balazs GAL <balsa@rit.bme.hu> writes:
> 
> 
>>Derek Atkins írta:
>>
>>
>>>Hesiod is not any less secure than LDAP.  At least with Hesiod if you
>>>deploy DNSSec you get complete security.  OTOH, you do not require a
>>>significant amount of security on hesiod info -- who cares about your
>>>GECOS field?  The real authentication security is from Kerberos.
>>
>>Don't forget that the unix like systems authorization is based on nss
                                           ^^^^^^^^^^^^^
>>passwd and group fields. If you can spoof that, then you can gain any
>>rights on the clients.
> 
> 
> GRR...  You clearly "do not understand".

Thanks. ;))

>  No, authentication does NOT
        ^^^^^^^^^^^^^^
> come from Hesiod 

I haven't spoked about authentication.

> (indeed, if you look up my Hesiod entry you wont even
> see a passwd entry!).  Authentication uses Kerberos.  Please -- try to
> spoof that!

Yes, but the unix security system parts are:
authentication (who are you)
authorization (what can you do)

As you wrote kerberos can only provide authentication.

Now lets see the authorization:
an application can choose many form of it, but the most used
authorization source are the nss passwd and group fields.
OpenAFS is one of the exceptions with it's pts database.

E.g file system authorization:

~$ ls -al /etc/shadow
-rw-r-----    1 root     shadow       1073 2003-07-13 11:54 /etc/shadow
~$ getent group shadow
shadow:x:42:

Now any user who is part of the shadow group can read the shadow file,
and maybe can gain root access with roots crypted passwd.
It can be done with spoofing either nss passwd or group database.

As you see the authorization is a significant part of the unix security,
and without it the authentication is useless.

> Yes, you could perform UID spoofing, but you can do that with _ANY_
> distributed passwd entry.

No there are many form which at least try to be secure like: nis+,
ldap with ssl cert based server authentication, or hesiod with dnssec.

>  The point is that "local UID" means nothing
> -- the only thing that matters (at least on the network) is your
> kerberos identity.

It's true from the AFS, but not from the general unix security view.

balsa