[OpenAFS] with or without krb5 and openldap?

Derek Atkins warlord@MIT.EDU
02 Aug 2003 16:23:23 -0400 

Balazs GAL <balsa@rit.bme.hu> writes:

> >>Don't forget that the unix like systems authorization is based on nss
>                                            ^^^^^^^^^^^^^
> >>passwd and group fields. If you can spoof that, then you can gain any
> >>rights on the clients.
> > GRR...  You clearly "do not understand".
> 
> Thanks. ;))
> 
> >  No, authentication does NOT
>         ^^^^^^^^^^^^^^
> > come from Hesiod
> 
> I haven't spoked about authentication.

Sure you have -- because authorization has nothing to do with
passwords.  By invoking passwords you have, indeed, spoken about
authentication.

> > (indeed, if you look up my Hesiod entry you wont even
> > see a passwd entry!).  Authentication uses Kerberos.  Please -- try to
> > spoof that!
> 
> Yes, but the unix security system parts are:
> authentication (who are you)
> authorization (what can you do)
> 
> As you wrote kerberos can only provide authentication.

I never said it can ONLY provide authentication..  I said it _DID_.
Access control (login's use of Authorization) necessarily requires
authentication.

> Now lets see the authorization:
> an application can choose many form of it, but the most used
> authorization source are the nss passwd and group fields.
> OpenAFS is one of the exceptions with it's pts database.

I still think you are confused with how authentication and
authorization work.  First, the user authenticates (provide a username
and password).  Second, the system authorizes access (is the username
in the password file, do they have a real shell, etc).

> > Yes, you could perform UID spoofing, but you can do that with _ANY_
> > distributed passwd entry.
> 
> No there are many form which at least try to be secure like: nis+,
> ldap with ssl cert based server authentication, or hesiod with dnssec.

LOL.  NIS+ is not secure.  You can break it in real time using any
modern computer.  LDAP with SSL is probably ok provided the client
actually properly checks the certificate (which I doubt most do).

> >  The point is that "local UID" means nothing
> > -- the only thing that matters (at least on the network) is your
> > kerberos identity.
> 
> It's true from the AFS, but not from the general unix security view.

So?

> balsa

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available