Hello,
I wonder about the following scenario, which is quite common:
A large network consisting of many users and many Unix boxes. Users
aren't supposed to have root access to any box. All home directories
reside on a central fileserver. How do you configure the networked
filesystem?
The obvious solution is to (auto)mount the home directories to the
individual boxes via NFS, using NIS or LDAP to keep the user accounts
consistent. This is terribly insecure -- if *any* box is compromised,
*all* home directories are available to the attacker. The NFS security
model relies on the client boxes for doing the user authentication,
which is a terrible assumption. Note that root_squash and suchlike are
of little help, since root can 'su' into any user.
Things are even worse if users have their own workstations, to which
they do have root access, but still need to mount personal directories
from a fileserver.
You can solve this if you know in advance which user works on which
client, and NFS-export each home directory separately with appropriate
host restrictions. But this "off-line central authentication" is clearly
impractical.
Interestingly, the NT domain model (incarnated as SMB) seems to be the
best possible in this respect, at least in theory. Namely, as long as a
user hasn't actually typed his password into a any compromised box, his
files are safe. This is because of the challenge-response authentication
against the domain controller, and the distinction between local and
domain-wide "Administrator" accounts.
Kerberos has a comparable model, but I couldn't find any info about
combining it with NFS (plain NFS+pam_krb5 obviously doesn't solve
anything). Is there such a combination, or a viable alternative?
Regards,
Eran Tromer
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
