Re: About how to protect network resources in LDAP environment?
"Boyd Stephen Smith Jr." <bss@iguanasuicide.net> writes:
> Min Wang wrote:
>> thanks. I'm totally a newbie to this nfs4/gssapi/kerberos.
>>
>> (1) does this approach
>>
>> prevent user1-> root ( su-> ) user2?
> Yes. "su" does not grant Kerberos credentials.
Well, it does if you're using pam_krb5 as the authentication method for su
and you enter a password. But it doesn't when you switch from root to
another user without a password, which I suspect is what you're trying to
say.
> Yes and no. The local system will "trust" su, so that root can become
> any user the local system recognizes. However, network applications
> that use the gssapi (or other Kerberos methods) will require credentials
> granted by the Kerberos system in order to take action as a Kerberos
> user.
Note, however, that local root can steal the credential cache of any other
user on that system, so there's no actual security protection against root
for other users on the same system. (In the absence of SELinux or the
like, of course.)
> Old-style NFS mostly trusts the local system to identify the user, which
> is why it is mostly only secure if "root" is shared between the NFS
> server and all its clients.
And if you have complete control over the local network so that no one can
spoof IP addresses, or pretend to be your NIS server, or....
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: