Looking for data on secure logins, NFS via secure RPC

Looking for data on secure logins, NFS via secure RPC

Post by Bill Stou » Thu, 08 Aug 1996 04:00:00



I wrote an internal whitepaper on NT's Network security mechanisms,
and now my boss (a heavy MS fan) wants the same for UNIX for
comparison.

NT has weak SMB (Server Message Block) security attaching to new
network shares (sends username/password/domain in SMB request),
when attaching to new shares on an existing server (only uses an
assigned UID), but uses strong initial login security (encrypts
username/password/domain in DES & MD4, sends DES & MD4 encrypted
password across net in secure encrypted channel and receives user
SIDs from server).  NT 4.0 beta software seems to allow existing users
full access to protected network directories on NT 3.51 SP3 systems.

Now the question:

Is there a reference to strong _network_ login and NFS security mechanisms
for UNIX?  I am looking for packages that use Secure RPC-type mechanisms
for logins, NFS mounts, etc.  Hopefully I can obtain a document that
describes step-by-step the authentication/access or token granting process.
It would also be nice if I could refer to the tools as generic UNIX tools,
not Solaris-only NIS+.

 
 
 

Looking for data on secure logins, NFS via secure RPC

Post by Michael R. Eisl » Sat, 10 Aug 1996 04:00:00




Quote:>Now the question:

>Is there a reference to strong _network_ login and NFS security mechanisms
>for UNIX?  I am looking for packages that use Secure RPC-type mechanisms
>for logins, NFS mounts, etc.  Hopefully I can obtain a document that
>describes step-by-step the authentication/access or token granting process.
>It would also be nice if I could refer to the tools as generic UNIX tools,
>not Solaris-only NIS+.

http://playground.sun.com/~mre/secrpc

has pointers to the latest security stuff still under developemnt,
as wqell as a link to the oncrpc working group at IETF. There
you'll find drafts of the specs for  AUTH_DH (aka AUTH_DES)
and AUTH_KERB.

--
-Mike Eisler                    NFS group


 
 
 

Looking for data on secure logins, NFS via secure RPC

Post by Chris Calabres » Sat, 10 Aug 1996 04:00:00



> I wrote an internal whitepaper on NT's Network security mechanisms,
> and now my boss (a heavy MS fan) wants the same for UNIX for
> comparison.

> NT has weak SMB (Server Message Block) security attaching to new
> network shares (sends username/password/domain in SMB request),
> when attaching to new shares on an existing server (only uses an
> assigned UID), but uses strong initial login security (encrypts
> username/password/domain in DES & MD4, sends DES & MD4 encrypted
> password across net in secure encrypted channel and receives user
> SIDs from server).  NT 4.0 beta software seems to allow existing users
> full access to protected network directories on NT 3.51 SP3 systems.

> Now the question:

> Is there a reference to strong _network_ login and NFS security mechanisms
> for UNIX?  I am looking for packages that use Secure RPC-type mechanisms
> for logins, NFS mounts, etc.  Hopefully I can obtain a document that
> describes step-by-step the authentication/access or token granting process.
> It would also be nice if I could refer to the tools as generic UNIX tools,
> not Solaris-only NIS+.

On the subject of NFS using secure-RPC, NFS v2 (which almost all
UNIX's support) supports reasonably-secure NFS if you're using
NIS.  NFS v3 (which about 1/3 Unix vendors support) supports much
better security mechanisms, including stronger versions of secure-RPC
and Kerberos.

You might also check out 3rd party add-on Kerberos packages, which
are available for most (all?) major UNIX's.  This solves both the NFS
problem and the login problem.

While we're on the subject of secure logins....what if you can come
up with a secure NFS scheme but not a secure login scheme?  Is that bad?
In a traditional UNIX shop, you'd think it was very bad, but since
NT can't do network logins at all, what about just turning off
network logins and declaring the systems secure?  It's a thought, anyway.

In any event, the biggest issue in my opinion is not NFS security
vs SMB security, but NFS vs SMB.  After all, if you're in a WinTel
environment, your boss isn't going to go for loading NFS on all the machines.
If you're a mostly Unix shop...

- enter TheyMadeMeDoIt mode

Now, allow me to propose NetWare as a networking
solution.  NDS gives you about the same level of security as NFS+Kerberos
(which is to say, much better than SMB) and is well supported by WinTel.

Also take a look UnixWare, which can do NFS (only v2, though Kerberos is
available 3rd party), NetWare+NDS (with the NetWare add-on package)
and SMB (also with an add-on package).

--
Christopher J. Calabrese
Security Architect
Novell IS&T Global Technical Architecture

 
 
 

Looking for data on secure logins, NFS via secure RPC

Post by Robert Thurl » Sun, 11 Aug 1996 04:00:00



Quote:>On the subject of NFS using secure-RPC, NFS v2 (which almost all
>UNIX's support) supports reasonably-secure NFS if you're using
>NIS.  NFS v3 (which about 1/3 Unix vendors support) supports much
>better security mechanisms, including stronger versions of secure-RPC
>and Kerberos.

You're pretty confused here.  Security in the NFS architecture is
provided in the RPC layer; there is no particular reason why NFS V2
and NFS V3 would have to have different security mechanisms, and in
fact recent solutions apply nicely to both versions.  NFS V3 is a
superior protocol, but it's only implementation problems that have
limited NFS security so far.

Rob T
--

There was something fishy about the butler.  I think he was a Pisces,
probably working for scale.             -- Nick Danger, Third Eye

 
 
 

Looking for data on secure logins, NFS via secure RPC

Post by jsanc.. » Wed, 21 Aug 1996 04:00:00



> On the subject of NFS using secure-RPC, NFS v2 (which almost all
> UNIX's support) supports reasonably-secure NFS if you're using
> NIS.

Except that the secure RPC supported with NFS v2:

        - Uses a DH key that is too short (192 bits was it?)

        - Is vulnerable to man-in-the-middle attacks

        - The key distribution mechanism (the publickey map in NIS)
          contains the private key encrypted usually with the user
          login password, so it can provide useful info to a password
          cracker

Mind, I'm not saying you should not use it, only that everyone should
be aware of its limitations.

--
Julio Sanchez, SGI Soluciones Globales Internet
Tel: (91) 804 28 37 Fax: (91) 804 14 05  WWW: http://www.esegi.es

 PGP Key fingerprint =  E5 29 93 6F 41 4E 00 E2  90 11 A1 8C 72 D0 DE 71