[4371] in Kerberos
Re: Help After Install
daemon@ATHENA.MIT.EDU (Gordon Matzigkeit)
Sun Dec 18 20:11:43 1994
To: kerberos@MIT.EDU
Date: Mon, 19 Dec 1994 00:32:35 GMT
From: gord@enci.ucalgary.ca (Gordon Matzigkeit)
Hmm... the epoch continues. :)
In article <199412182243.WAA22001@matrix.ajlc.waterloo.on.ca> ajlill@ajlc.waterloo.on.ca (Anthony J. Lill) writes:
[much deleted]
I personally believe that hosts.equiv is evil. A person can still do
lots of damage if they get hold of bin or sys or adm or a dozen other
accounts. As Don Davis pointed out in private email, once you've
installed the Kerberized rlogin/rcmd, it's secure enough to allow you
to do lots of admin remotely.
Fair enough.
Gordon> This would be really nice.
How nice is it to have two sources of passwd information to maintain?
It would probably be easier to adminster if you Kerberized everything
on your secure net.
O.K. I think this is where my lack of knowledge shines through. Am I
correct in thinking that Kerberos completely replaces the NIS passwd
maps? This would be even nicer.
Somebody pointed out to me in private e-mail that there are 6
netadmins at MIT who manage 1300 machines. If Kerberos includes a
passwd database replacement, would this be managed by keeping private
console passwords for each machine, but using kerberized rcommands for
day-to-day administration?
Of course, without knowing just what you're trying to accomplish, it's
very hard to say just how you should proceed. Security can mean
anything from your farourite blankie to a minefield.
Yeah... I guess I should be more specific:
We have a couple of Sun machines which are under our direct
administration. Currently, and unfortunately, they have to trust
eachother quite a bit. In the same ethernetwork, there are several
office and lab PCs, which we have little control over. Right now, we
don't have a serious problem, but as the network grows, it may become
more malicious.
Our UNIX users belong to two overlapping groups:
casual - just need access to cheap UNIX servers and workstations for
mail, ftp, etc.
high-performance - need our more expensive UNIX servers to do heavy
number-crunching.
We want to make this setup as secure as possible. With standard UNIX
administration, it is a nightmare. We are currently using host-based
access control on EVERY workstation and server. s/key is fun for a
while, but it gets to be a pain when you want root on 4 or 5
workstations, and its security is fairly dependant on the fact that we
never use a time-shared system to compute our passwords. Yeargh!
So, we are in the process of planning a major reorganization to allow
easy and manageable network growth.
These are our concerns:
1) Be as transparent as possible. Right now, our users have more pull
with our bosses than we do.
2) Have simple, centralized host-by-host access control. This is
necessary so that we can stop casual users from using our hiperf
machines, and stop anybody except sysadms from using Xterms from the
network, etc.
3) Have as much authentication as possible. We can't do this at all
right now. Ideally, all our UNIX machines would be kerberized, *but*,
what about people who login from their home PCs over the network?
They have to traverse untrusted nets.
4) Allow rdumps, NFS between our UNIX machines that the PCs will not
be able to listen in on. I think subnetting our PCs will partially
solve this. Ideally, it would be encrypted so that it doesn't matter
what nasty people sniffed our ethernet. I think Sun secure RPC can be
used for the NFS problem, but I don't know about rdumps. 1 tape drive
per host is not feasible. Maybe other backup software (we're using
the perl scripts from cis.ohio-state.edu) would support that.
So, that's it in a nutshell. All us netadmin people are trying to do
is prevent people from abusing privileged resources.
Thanks again for everybody's comments thus far.
As another question: I heard somebody offering the krb5 .ps docs for a
fee. If I don't have TeX, is there any way I can get/build/steal them
myself?
--Gordon
--
Tony Lill, Tony.Lill@AJLC.Waterloo.ON.CA
President, A. J. Lill Consultants (519) 241 2461
539 Grand Valley Dr., Cambridge, Ont. fax/data (519) 650 3571
"I'm not a security expert, I just play one on the net"
--
Gordon Matzigkeit | J: Nap besusson. Tundokoljon a te varad!
gord@enci.ucalgary.ca | B: Nem tundokol az en varam.
