welcome: please sign in

The following 361 words could not be found in the dictionary of 7 words (including 7 LocalSpellingWords) and are highlighted below:
about   access   Access   accessing   account   accounts   acquire   act   Actually   adamc   add   admin   admins   after   aklog   all   also   amount   an   and   announce   announced   another   any   Anybody   anything   approach   are   as   As   at   Authentication   authentication   back   bad   basically   basis   be   Because   been   before   behalf   behind   being   but   By   by   can   Category   client   comes   compromise   compromised   computer   consequence   Contents   continue   contrast   control   Coop   could   credentials   critical   cryptographic   currently   date   dates   days   Deleuze   deleuze   describes   desk   did   difference   directory   discovered   discovery   disk   Distributed   distributed   do   does   doesn   Doing   don   effort   either   entire   equivalent   every   expect   expiration   expire   expired   explained   explains   exploit   exposure   extremely   February   files   first   For   for   forever   fresh   front   full   future   get   getting   grant   grown   hacking   Had   Happened   has   have   hcoop   here   him   hole   home   host   hours   How   However   html   http   https   identity   ie   if   immediately   immortal   implement   implements   implicitly   important   in   In   including   incredibly   information   infrastructure   instantly   Instead   into   is   issues   it   It   just   kdc   keeping   Kerberos   kerberos   kernel   Key   key   keys   kinit   know   laptop   large   let   level   lifetime   Lifetimes   lifetimes   like   limited   Limited   Limits   linux   lists   live   ll   local   log   logged   logging   Login   login   longer   machine   machines   makes   managed   Manual   means   megacz   Member   member   members   might   minimal   mire   mires   modifications   more   must   need   net   network   never   No   no   none   not   now   number   obtain   Of   of   oh   on   once   one   ones   only   or   order   ought   our   out   own   page   password   Passwordless   passwords   people   personal   pipermail   point   poor   pretend   Price   price   private   project   proof   prove   proxy   pubkey   public   Public   rationale   re   reasoning   regular   renew   Renewal   require   required   right   risky   robust   rogue   root   rotate   runs   same   say   says   Security   security   see   servers   service   services   set   seven   several   Shell   should   sitting   small   so   software   some   somehow   ssh   stole   strategy   such   system   systems   Table   take   than   that   That   The   the   then   There   These   these   they   thing   things   this   This   those   throughout   Ticket   tickets   Tickets   time   to   tokens   Tokens   too   tricky   True   true   trust   trusted   trusting   trusts   type   typing   understand   Understanding   unlike   untrusted   use   used   user   users   uses   using   very   via   virtue   was   way   we   were   whatever   when   where   which   who   will   wise   wiser   With   with   Within   without   wonder   work   worry   would   You   you   Your   your   yourself  

Clear message
Edit

MemberManual / DistributedSecurity

This page describes the rationale for Kerberos and AFS being the way they are. It also explains some things that people would not expect if they have never used either AFS or Kerberos.

Contents

  1. Understanding True Distributed Security
    1. This Actually Happened
  2. The Price of Security
    1. Limited Ticket Lifetimes and Renewal Limits
    2. No SSH Public Key Authentication

HCoop's infrastructure implements true distributed security, unlike systems such as NFS/NIS and NTLM, which do not.

Understanding True Distributed Security

In order to understand the reasoning behind this, you first need to project yourself into the future where HCOOP has grown to the point where it has several machines like mire (that is, user-login machines) and a small number of security-critical machines like deleuze (KDC, passwords, AFS service).

With a system that does not implement distributed security (like NIS/NFS), the entire network implicitly trusts local root on every machine on the network. This means that with a system like NIS/NFS, if a rogue user somehow managed to compromise "local root" on any one of the mire machines, that user would instantly have full access to every account (including admin accounts) on every machine throughout all of HCoop. This is not a wise approach to security.

By contrast, Kerberos (and by virtue of using it, AFS) implements true distributed security. Deleuze does not trust mire any more than it trusts your laptop on your desk at home. As we add more user servers, they too will be untrusted. Because deleuze only runs the minimal set of security-critical services, this makes HCoop very robust.

This Actually Happened

In February of 2008 a linux kernel security hole was discovered. Within hours of the discovery being announced, one of our own members used it to take control of mire. Had we not been using distributed security, that member would immediately have compromised 100% of all HCoop infrastructure and all accounts, including cryptographic keys with no expiration date.

Because we have distributed security, the only exposure was the credentials of the users who were logged into mire at the time of the exploit (which expired after 10 hours) and mire's ssh host key (which we ought to rotate on a regular basis, but currently don't).

The Price of Security

However, not trusting mire comes at a price. Your files live on deleuze (in AFS), but you're logged in to mire. How does deleuze know that you should be trusted to access your own files? It can't just say "oh, I trust whatever mire says, so if mire says it's adamc (one of the root admins), I'll let him access anything." That would be incredibly poor security.

Instead, when you log in to mire via ssh, you type your password, which mire then uses to prove your identity to deleuze. Deleuze issues "Kerberos Tickets" and "AFS Tokens" (which are basically the same thing; don't worry about the difference right now) that you can then use to prove your identity.

Limited Ticket Lifetimes and Renewal Limits

These tickets and tokens have a limited lifetime -- currently on HCoop they expire after 24 hours. This is important: if these tickets and tokens did not have expiration dates, they would be basically equivalent to your password. Anybody who stole these "immortal tickets" (say, by hacking one of the mires) could pretend to be you, forever, and you would be none the wiser. This would be just as bad as keeping your password sitting on the disk on mire.

There is a consequence to these limited lifetimes: once your tickets+tokens expire, you can no longer access AFS. This means that you must log out and log back in every 24 hours in order to continue accessing your home directory. You can also renew your tickets without a password by typing "kinit -R;aklog" before your tickets expire -- but this will only work for seven days; you can't renew tickets longer than that without getting fresh ones.

No SSH Public Key Authentication

There is also another consequence to the tickets+tokens strategy: you must type your password when logging in so that mire can get tickets and tokens for you. SSH public key authentication will not work. However, you can obtain tickets and tokens on your personal computer (ie the machine you're sitting in front of), and use those tickets to log in to mire without using a password. For more information, see MemberManual/ShellAccess/PasswordlessLogin.

You might wonder if mire could somehow act as a proxy and use your ssh client's proof that you have your ssh private key to acquire kerberos tickets on your behalf. Doing this in a way that doesn't grant a risky level of trust to mire is very, very tricky. The modifications required to do this are explained here, but require an extremely large amount of effort.

CategoryMemberManual

MemberManual/DistributedSecurity (last edited 2013-01-13 18:23:47 by ClintonEbadi)