[OpenAFS] with or without krb5 and openldap?

Balazs GAL balsa@rit.bme.hu
Sat, 02 Aug 2003 23:42:02 +0200 

Derek Atkins írta:
> Balazs GAL <balsa@rit.bme.hu> writes:
> 
> 
>>>>Don't forget that the unix like systems authorization is based on nss
                                                                      ^^^
>>>>passwd and group fields. If you can spoof that, then you can gain any
     ^^^^^^^^^^^^^^^^^^^^^^^
>>>>rights on the clients.
>>>

>>I haven't spoked about authentication.
> 
> 
> Sure you have -- because authorization has nothing to do with
> passwords. 

I never said that. Authorization has to do with nss passwd
entries like this:

~$ getent passwd balsa
balsa:x:1000:1000:Balazs GAL:/home/balsa:/bin/bash

Here are two significant fields (UID and GID) which
are used in authorization.

> By invoking passwords you have, indeed, spoken about
> authentication.

I havent invoked passwords, I invoked "nss passwd fields".



>>>(indeed, if you look up my Hesiod entry you wont even
>>>see a passwd entry!).  Authentication uses Kerberos.  Please -- try to
>>>spoof that!
>>
>>Yes, but the unix security system parts are:
>>authentication (who are you)
>>authorization (what can you do)
>>
>>As you wrote kerberos can only provide authentication.
> 
> 
> I never said it can ONLY provide authentication..  I said it _DID_.
> Access control (login's use of Authorization) necessarily requires
> authentication.

Yes security requires authentication, and kerberos provide it, but
the kdc doesnt have any authorization database.



>>Now lets see the authorization:
>>an application can choose many form of it, but the most used
>>authorization source are the nss passwd and group fields.
>>OpenAFS is one of the exceptions with it's pts database.
> 
> 
> I still think you are confused with how authentication and
> authorization work.

Why? Did I wrote something wrong in my mails. I dont think so.



> First, the user authenticates (provide a username
> and password).  Second, the system authorizes access (is the username
> in the password file, do they have a real shell, etc).

Thanks I know it. ;)



>>No there are many form which at least try to be secure like: nis+,
                                         ^^^^^^^^^^^^^^^^
> LOL.  NIS+ is not secure.



>>> The point is that "local UID" means nothing
>>>-- the only thing that matters (at least on the network) is your
>>>kerberos identity.
>>
>>It's true from the AFS, but not from the general unix security view.
> 
> 
> So?

So the "local UID" is significant (and not "means nothing")
from the general unix security view.



> -derek

balsa