[4466] in Kerberos
Re: Help After Install
daemon@ATHENA.MIT.EDU (Anthony J. Lill)
Mon Jan 9 23:55:00 1995
To: gord@enci.ucalgary.ca (Gordon Matzigkeit)
Cc: kerberos@MIT.EDU
In-Reply-To: Your message of "Mon, 19 Dec 1994 00:32:35 GMT."
<GORD.94Dec18173235@enci.ucalgary.ca>
Reply-To: Tony.Lill@ajlc.waterloo.on.ca
Date: Mon, 09 Jan 1995 23:04:07 -0500
From: "Anthony J. Lill" <ajlill@ajlc.waterloo.on.ca>
Never ask a question before Christmas...
>>>>> "Gordon" == Gordon Matzigkeit <gord@enci.ucalgary.ca> writes:
Gordon> O.K. I think this is where my lack of knowledge shines
Gordon> through. Am I correct in thinking that Kerberos
Gordon> completely replaces the NIS passwd maps? This would be
Gordon> even nicer.
No, Kerberos just handles the password part of the passwd file, you
still need NIS or something for the other 6 fields.
Gordon> Somebody pointed out to me in private e-mail that there
Gordon> are 6 netadmins at MIT who manage 1300 machines. If
Gordon> Kerberos includes a passwd database replacement, would
Gordon> this be managed by keeping private console passwords for
Gordon> each machine, but using kerberized rcommands for
Gordon> day-to-day administration?
I don't know what tools Hesiod and Moria provide (perhaps someone who
knows will post a short summary), but using Kerberos+NIS, I'd do that.
Tony> Of course, without knowing just what you're trying to
Tony> accomplish, it's very hard to say just how you should
Tony> proceed. Security can mean anything from your farourite
Tony> blankie to a minefield.
Gordon> Yeah... I guess I should be more specific:
Gordon> We have a couple of Sun machines which are under our
Gordon> direct administration. Currently, and unfortunately, they
Gordon> have to trust eachother quite a bit. In the same
Gordon> ethernetwork, there are several office and lab PCs, which
Gordon> we have little control over. Right now, we don't have a
Gordon> serious problem, but as the network grows, it may become
Gordon> more malicious.
Gordon> Our UNIX users belong to two overlapping groups:
Gordon> casual - just need access to cheap UNIX servers and
Gordon> workstations for mail, ftp, etc.
Gordon> high-performance - need our more expensive UNIX servers to
Gordon> do heavy number-crunching.
Gordon> We want to make this setup as secure as possible. With
Gordon> standard UNIX administration, it is a nightmare. We are
Gordon> currently using host-based access control on EVERY
Gordon> workstation and server. s/key is fun for a while, but it
Gordon> gets to be a pain when you want root on 4 or 5
Gordon> workstations, and its security is fairly dependant on the
Gordon> fact that we never use a time-shared system to compute our
Gordon> passwords. Yeargh!
Gordon> So, we are in the process of planning a major
Gordon> reorganization to allow easy and manageable network
Gordon> growth.
Gordon> These are our concerns:
Gordon> 1) Be as transparent as possible. Right now, our users
Gordon> have more pull with our bosses than we do.
Gordon> 2) Have simple, centralized host-by-host access control.
Gordon> This is necessary so that we can stop casual users from
Gordon> using our hiperf machines, and stop anybody except sysadms
Gordon> from using Xterms from the network, etc.
I don't think Kerberos will give you this, at least a quick scan of
telnet didn't show any sort of access control other than what normal
telnet does. It will open an encrypted channel, and you can have it
bypass the login program and rely on kerberos only, if desired. Of
course, since you are compiling the source anyway, you can add what
you want.
The Xterms are another problem, and I think you're completely out of
luck there.
Gordon> 3) Have as much authentication as possible. We can't do
Gordon> this at all right now. Ideally, all our UNIX machines
Gordon> would be kerberized, *but*, what about people who login
Gordon> from their home PCs over the network? They have to
Gordon> traverse untrusted nets.
Two that I know of are FTP Inc's TCP product has Kerberos V4 built
in. CyberSAFE Corporation markets a Version 5 Windows Client with
WinSock API compatibility. Kerberized r-commands and telnet, single
copy price $95. There may be others.
Gordon> 4) Allow rdumps, NFS between our UNIX machines that the
Gordon> PCs will not be able to listen in on. I think subnetting
Gordon> our PCs will partially solve this. Ideally, it would be
Gordon> encrypted so that it doesn't matter what nasty people
Gordon> sniffed our ethernet. I think Sun secure RPC can be used
Gordon> for the NFS problem, but I don't know about rdumps. 1
Gordon> tape drive per host is not feasible. Maybe other backup
Gordon> software (we're using the perl scripts from
Gordon> cis.ohio-state.edu) would support that.
Sun has a kerberized RPC, so that may be another option for NFS, but
I don't know what it's availablility is. The rdump software is
avaialble on the net, so you could kerberize that yourself, or backup
via NFS.
Gordon> So, that's it in a nutshell. All us netadmin people are
Gordon> trying to do is prevent people from abusing privileged
Gordon> resources.
Gordon> Thanks again for everybody's comments thus far.
You're welcome.
--
Tony Lill, Tony.Lill@AJLC.Waterloo.ON.CA
President, A. J. Lill Consultants (519) 241 2461
539 Grand Valley Dr., Cambridge, Ont. fax/data (519) 650 3571
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"
