The Unix-Haters handbook page 320

288 NFS MIT’s Project Athena attempted to add security to NFS using a network security system called Kerberos. True to its name, the hybrid system is a real dog, as Alan Bawden found out: Date: Thu, 31 Jan 91 12:49:31 EST From: Alan Bawden alan@ai.mit.edu To: UNIX-HATERS Subject: Wizards and Kerberos Isn’t it great how when you go to a Unix weenie for advice, he never tells you everything you need to know? Instead you have to return to him several times so that he can demand-page in the necessary infor- mation driven by the faults you are forced to take. Case in point: When I started using the Unix boxes at LCS I found that I didn’t have access to modify remote files through NFS. Knowledgeable people informed me that I had to visit a Grand Exalted Wizard who would add my name and password to the “Kerberos” database. So I did so. The Grand Exalted Wizard told me I was all set: from now on whenever I logged in I would automatically be granted the appropriate network privileges. So the first time I tried it out, it didn’t work. Back to the Unix-knowl- edgeable to find out. Oh yeah, we forgot to mention that in order to take advantage of your Kerberos privileges to use NFS, you have to be running the nfsauth program. OK, so I edit my .login to run nfsauth. I am briefly annoyed that nfs- auth requires me to list the names of all the NFS servers I am plan- ning on using. Another weird thing is that nfsauth doesn’t just run once, but hangs around in the background until you log out. Appar- ently it has to renew some permission or other every few minutes or so. The consequences of all this aren’t immediately obvious, but everything seems to be working fine now, so I get back to work. Eight hours pass. Now it is time to pack up and go home, so I try to write my files back out over the network. Permission denied. Goddamn. But I don’t have to find a Unix weenie because as part of getting set up in the Ker- beros database they did warn me that my Kerberos privileges would expire in eight hours. They even mentioned that I could run the kinit program to renew them. So I run kinit and type in my name and pass- word again.

No File Security 289 But Unix still doesn’t let me write my files back out. I poke around a bit and find that the problem is that when your Kerberos privileges expire, nfsauth crashes. OK, so I start up another nfsauth, once again feeding it the names of all the NFS servers I am using. Now I can write my files back out. Well, it turns out that I almost always work for longer than eight hours, so this becomes a bit of a routine. My fellow victims in LCS Unix land assure me that this really is the way it works and that they all just put up with it. Well, I ask, how about at least fixing nfsauth so that instead of crashing, it just hangs around and waits for your new Kerberos privileges to arrive? Sorry, can’t do that. It seems that nobody can locate the sources to nfsauth. The Exports List NFS couldn’t have been marketed if it looked like the system offered no security, so its creators gave it the appearance of security, without going through the formality of implementing a secure protocol. Recall that if you don’t give the NFS server a magic cookie, you can’t scribble on the file. So, the NFS theory goes, by controlling access to the cookies, you control access to the files. To get the magic cookie for the root directory of a file system, you need to mount the file system. And that’s where the idea of “security” comes in. A special file on the server called /etc/exports lists the exported file systems and the computers to which the file systems are allowed to be exported. Unfortunately, nothing prevents a rogue program from guessing magic cookies. In practice, these guesses aren’t very hard to make. Not being in an NFS server’s exports file raises the time to break into a server from a few seconds to a few hours. Not much more, though. And, since the servers are stateless, once a cookie is guessed (or legitimately obtained) it’s good forever. In a typical firewall-protected network environment, NFS’s big security risk isn’t the risk of attack by outsiders—it’s the risk that insiders with authorized access to your file server can use that access to get at your files as well as their own. Since it is stateless, the NFS server has no concept of “logging in.” Oh sure, you’ve logged into your workstation, but the NFS server doesn’t

Previous Page Next Page

The Unix-Haters handbook Page 320 (320 of 360)

The Unix-Haters handbook resources

Help