On Fri, 22 Feb 2002, Eran Tromer wrote: > Hello, > > I wonder about the following scenario, which is quite common: > A large network consisting of many users and many Unix boxes. Users > aren't supposed to have root access to any box. All home directories > reside on a central fileserver. How do you configure the networked > filesystem? > > The obvious solution is to (auto)mount the home directories to the > individual boxes via NFS, using NIS or LDAP to keep the user accounts > consistent. This is terribly insecure -- if *any* box is compromised, > *all* home directories are available to the attacker. The NFS security > model relies on the client boxes for doing the user authentication, > which is a terrible assumption. Note that root_squash and suchlike are > of little help, since root can 'su' into any user. > > Things are even worse if users have their own workstations, to which > they do have root access, but still need to mount personal directories > from a fileserver. > > You can solve this if you know in advance which user works on which > client, and NFS-export each home directory separately with appropriate > host restrictions. But this "off-line central authentication" is clearly > impractical. > > Interestingly, the NT domain model (incarnated as SMB) seems to be the > best possible in this respect, at least in theory. Namely, as long as a > user hasn't actually typed his password into a any compromised box, his > files are safe. This is because of the challenge-response authentication > against the domain controller, and the distinction between local and > domain-wide "Administrator" accounts. > > Kerberos has a comparable model, but I couldn't find any info about > combining it with NFS (plain NFS+pam_krb5 obviously doesn't solve > anything). Is there such a combination, or a viable alternative?
AFS? CODA? intermezzo? I'm not sure how mature are the latter two. AFS and CODA are built around kerberos, AFAIR. -- Tzafrir Cohen mailto:[EMAIL PROTECTED] http://www.technion.ac.il/~tzafrir ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
