Re: NIS with local root

From: Seth Arnold (sarnold@wirex.com)
Date: 01/31/03

  • Next message: Wallwork, Nathan: "Re: NIS with local root" 
    Date: Fri, 31 Jan 2003 14:15:24 -0800
From: Seth Arnold <sarnold@wirex.com>
To: focus-linux@securityfocus.com

    What we have to work with:

    Users have full control over their workstations
    Users should be able to use any workstation
    Users should be able to get all their files from any workstation

    What this means is we cannot trust the authentication of the clients;
    the servers must perform some level of authentication themselves. This
    is the problem Kerberos was designed to solve -- resources on a given
    server need a valid authentication ticket from a ticket granting server,
    which performs password-based challenge-response authentication of the
    user at the keyboard.

    While the workstation's roots can install trojans to gather a kerberos
    password from a user, that is a new level of distrust for the problem;
    that can only be solved by not level them have root access. (Which in a
    computer lab setting is probably a wise idea; on developer workstations,
    is probably a pretty poor idea.)

    Another option, perhaps easier than kerberos, is users can use gpg's
    symmetrical encryption support, and encrypt the files they care about
    most. This won't solve the trojan problem. But learning to use gpg is a
    lot easier than learning to setup kerberos. :)

    (Maybe SMB-style shares would solve this problem too, as they can
    require authentication before granting access to users.) 

    -- 
"There's an old saying in Tennessee, i know it's in Texas, probably in
Tennessee, that says, 'Fool me once... shame on ... shame on .. you; but
fool--you can't get fooled again.'" -- Commander in Chief of the US Military

    Relevant Pages

    • Re: Kerberos logon to Terminal Server prevents folder redirection
      ... Pass-through refers to the client browser passing through credentials to the Web Interface server; so you can still use Pass-through without enabling the option "Use Kerberos authentication to connect to servers". ...
      (microsoft.public.windows.server.security)
    • Re: Integrated Windows Authentication Timeout?
      ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: iis problems with some xp clients - kerberos issue?
      ... is the browser even attempting Kerberos Authentication? ... the webserver failing to get a service ticket for the SQL Server etc. ... Check that the site is in IE's Intranet zone (IE doesn't attempt to Kerberos ... Both access SQL ...
      (microsoft.public.inetserver.iis.security)
    • Re: REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage
      ... >are using to authentication. ... Kerberos tickets target a service ... >authenticate to IIS from the client browser. ... structure on a Win2K server. ...
      (microsoft.public.inetserver.iis)
    • Update: Problems authenticating users via AD with Kerberos on Solaris 9
      ... However, since MIT does not implement TCP, the request fails. ... We have a Solaris 9 server that we configured to authenticate users via ... Active Directory using Kerberos. ... up but recently for whatever reason, Kerberos authentication does not ...
      (SunManagers)
    • Quantcast