From: Dai_Peng@emc.com
Date: 01/24/03-02:29:49 PM Z
From: Dai_Peng@emc.com Message-ID: <6335CBB2F69AD411AD3100D0B7BA38E30CF0BF4B@CORPUSMX2> Subject: Re: NFSv4 security model Date: Fri, 24 Jan 2003 15:29:49 -0500 >Even if running IPsec, AUTH_SYS still doesn't prevent Mallet from >impersonating >Alice. Trivial ways include: >Mallet, who knows the root password, su's to Alice There is no question about the security RPCSEC_GSS/kerberos provides over AUTH_SYS. But the above example does not establish that. Once the client machine is compromised, meaning the root password is leaked, then all bets are off. In this case, neither AUTH_SYS nor RPCSEC_GSS/kerberos can provide the proper protection for the user. For example, with root privilege, a trojan horse (a modified kinit in the case of kerberos) can be installed on the client machine to intercept the user secret. The host krb5.keytab is also at risk. >Mallet, who knows how to use rpcgen, produces a user level >NFS client in a matter of hours, and accesses Alice's data. This does not require local root privilege. But if the NFS client can be somewhat restricted locally, saying by the server requiring the client requests originating from restricted ports, then it can be prevented. Even if the above can be done, there is still significant difference between AUTH_SYS/IPSec and RPCSEC_GSS/kerberos. The former approach relies on the client machine to properly authenticate the user (the uid/gids are credentials acquired as a result of the authentication); while the latter relies on the server machine to do that. So using the first approach, compromising one machine would affect all users; while in the second approach, only users using the compromised machine are affected.
This archive was generated by hypermail 2.1.2 : 03/04/05-01:50:49 AM Z CST