[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: secure NIS and NFS like services (was Re: networking)

Some of us are working on securing Apple's (Formerly NeXT's) netinfo to
use certificate based authentication, and a permission scheme which
prioritizes machine's access to different parts of the data dictionary.
The new netinfo stuff from Apple will supposedly be ldap based anyway, so
we are examining it to see what the upcoming security model is to see if
we need not bother, but either way, we will have secure NetInfo and plan
on porting it to OpenBSD.  OpenBSD is certainly the platform from which we
intend to administer the network, as it is the hardest to crack.

One suggestion might be to do just that, administer the NIS domain from
OpenBSD, and provide NO access to the NIS info other than read access from
any non OpenBSD server.  This should mean that breaking the Solaris box
shouldn't allow you to break any other box.  If you are not exposing
services or exporting filesystems with unreasonable levels of trust, you
should be okay.

Beware .rhosts and hosts.equiv files/data dictionaries.


-----Original Message-----
From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org]On Behalf Of
Sent: Thursday, September 16, 1999 7:32 AM
To: misc@openbsd.org
Subject: secure NIS and NFS like services (was Re: networking)

> If there is someting you don't trust, see if you can place it on a box
> not so vital to your business.

Obvisouly that would be the best solution but it's not always
possible.  The point of the question was whether or not its possible
to get NIS and NFS like services without opening yourself up to that
much risk.

Let's say we have a single solaris box running everything on our
system.  It has to be a solaris box for some reason -- one of the
services we have to provide will only run on solaris.

Some of the services expose us to risk -- shell service, for example,
is dangerous.  Other services aren't so risky.  So we decide that it
would be nice if we chould separate off the risky services from the
not so risky services on different machines, and tie them together
with NIS and NFS.  If the box with the risky services on it falls, the
not so risky services box would still be safe, hopefully.  And
remember, one of our risky services has to run on solaris (just to
make the problem more interesting).

The problem with that is that if someone gets root on one box, NFS
exposes us to a "domino effect" -- it puts the other boxes at risk.
So we're not getting that much of a win from splitting things off.

Are there ways to get NFS and NIS like services that don't expose you
to this domino effect?

There are solutions out there, but nothing seems to be general.  Sun
has NIS+, but that doesn't do me any good if I want to run OpenBSD and
Solaris together.  The Coda file system seems to be a lot safer than
NFS, but that isn't supported everywhere either.  Even IPsec, which
protects the link, but doesn't address problems in underlying
protocols, doesn't seem to run on solaris.

So what I'd like to know is how experienced openbsd security gurus
solve these problems, if they solve them at all.  Is it possible to
secure NFS, at least on the openbsd side?  Do they use AFS?  Is AFS an
expensive solution?  And what, if anything, exists for the NIS side of
the problem?