On Sat, 24 Jul 1999, Pete Gonzalez wrote:

> >For AFS/NFS there is a kerberized NFS server which does token forwarding to
> >the AFS client on the same system, but I think one still has to log in to
> >the NFS server to get such tokens (perhaps with the kerberized NFS client,
> >this would go away; it's dead slow though).
> 
> Hrm...  Well what about approaching it from the other direction; could the
> CODA security model replace the Unix/Linux /etc/passwd authentication,
> i.e. so a valid CODA login counts as valid authentication on the local
> system?  Could this be done using PAM?  (This would require a notion of
> multiple CODA sessions from the same user on the same host, but that
> shouldn't be too difficult.)  That, combined with the elimination of
> this strange 25 hour expiration rule, would be quite a workable system.

I would suggest that one dump the Unix/Linux /etc/passwd authentication
completely (except for the root password) and use kerberos exclusively.
Kerberos has a well thought out and robust security mechanism. I won't go
into detail on all of the design decisions that went into it (those are
covered on the MIT kerberos web site and documentation), but it is my
opinion that it is the most secure authentication system for Unix like
systems that exists in the Open Source world, and also quite possibly in
the closed source world too.

 
> BTW what exactly is the justification for the expirations?  It seems to
> decrease security (by requiring daemons which store the passwords in
> cleartext) rather than increase it.

One reason I can come up with is that expiration is needed in case a user
logs out, and there isn't a mechanism by which venus can tell the user is
no longer logged in, and that tokens should be destroyed. If this were not
the case, a machine which has been compromised could allow an attacker
filesystem access to any accounts which have logged into the machine since
it was last rebooted. (Granted, haveing the passwords in cleartext allows
the same thing, but not *every* client will have cleartext passwords on
it)

Kerberos expires tickets for the above reasons, and *also* so that an
attacker with a packet sniffer only has a limited amount of time to play
use the sniffed information. (Kerberos 5 has mechanisms to keep even this
from happening)

> Pete Gonzalez
> 
> 

--------------------------------------------------------------------------
| Troy Benjegerdes    |       troy_at_microux.com     |    hozer_at_drgw.net   |
|    Unix is user friendly... You just have to be friendly to it first.  |
| This message composed with 100% free software.    http://www.gnu.org   |
--------------------------------------------------------------------------