NFS Security

[John F Carr]

In article <1487 at ficc.uu.net> peter at ficc.uu.net (Peter da Silva) writes:

>Just how heavy a load (in CPU power, throughput, and un-unix-like behaviour)
>does the system used by Project Athena impose?

First, a description of the system he refers to:

  The Kerberos authentication system is designed for use in an insecure
  environment.  The fundamental assumption is that no machine needs to
  trust any machine other than a single server.  In addition, there is
  a site requirement that any Athena user be able to login on any of the
  several hundred workstations (except those reserved for individual use).
  
  .rhosts and duplicate /etc/passwd on all machines are acceptable for a 
  limited number of secure machines, but fail on large networks (consider
  the size of the passwd file for 6000+ users...then think of chaning it
  on each of 500 machines every time a user changes his password or a new
  user is added).  

  One problem is solved by having a common, central database to store such
  information as: 

     /etc/passwd entries for all users
     group lists
     location of NFS home directory
     location of mail server

  The other problem, authentication, is solved with Kerberos.  There are 
  a number of services for which authentication is desired, including:

     NFS uid mapping
     receiving mail
     sending certain types of messages
     access to the local equivalent of news

  Each service shares a private key with the kerberos server.  A user gets
  a "ticket" to use that service from Kerberos; this is encrypted using
  the service key and the user's key (the user first decrpyts the ticket
  with his key, then sends it to the server); if the server can decrypt it 
  then it can ID the user (since only Kerberos can encrypt with the service
  key).

  The exact sequence of encryption and details of message format are more
  complicated than I describe here.  It is possible for root on a machine
  to steal tickets out of the file (mode rw-------) in which they are stored, 
  but it is in principle possible for root to read a user's files in UNIX 
  regardless of any security.

The performance impact:

  Programs which require authentication have been re-written to use
  kerberos without any change in the user interface (an initial ticket
  is obtained at login and used to get more as needed).  As long as
  the ticket has not expired, the change is invisible.  Where possible,
  unauthenticated versions are kept as fallbacks (so, a failed kerberos
  rlogin tries again with the standard rlogin).

  CPU time is a consideration, since encryption is required.  In the present
  implementation, most net traffic after the initial authentication is not
  encrypted, so there is almost no performance impact.  I don't know how
  important it is for other applications (such as encrypted rlogin).  That
  it works on such a large network is evidence that it does not require too
  much time (else the server would overload).

  For NFS use, there is an option to require authentication for all mounts
  (and restrict access to a specific list), or to map unauthenticated 
  users to nobody.

  --John Carr
   John Carr             "When they turn the pages of history,
   jfc at Athena.mit.edu     When these days have passed long ago,
                          Will they read of us with sadness
                          For the seeds that we let grow?"  --Neil Peart