Nicolas Williams Staff Engineer Sun Microsystems, Inc.

Similar documents
Kerberized NFS 2010 Kerberos Conference

dcache NFSv4.1 Tigran Mkrtchyan Zeuthen, dcache NFSv4.1 Tigran Mkrtchyan 4/13/12 Page 1

Configuring NFSv4 on SUSE Linux Enterprise 10

NFS Version 4 Open Source Project. William A.(Andy) Adamson Center for Information Technology Integration University of Michigan

Centralized Authentication with Kerberos 5, Part I

Network Working Group. Category: Standards Track June 1999

Configuring Kerberos

Kerberos and NFS4 on Linux. isginf Workshop

Powerful and Frictionless Storage Administration

User Security Configuration Guide, Cisco IOS XE Fuji 16.8.x (Cisco ASR 920 Routers)

Secure Unified Authentication

Henry B. Hotz Jet Propulsion Laboratory California Institute of Technology. Kerberos 5 Upgrade

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Configuring Kerberos

Kerberos & HPC Batch systems. Matthieu Hautreux (CEA/DAM/DIF)

Novell Kerberos Login Method for NMASTM

GridNFS: Scaling to Petabyte Grid File Systems. Andy Adamson Center For Information Technology Integration University of Michigan

FreeIPA Cross Forest Trusts

NFS Version 4 Security Update

Secure Unified Authentication for NFS

TIBCO Spotfire Connecting to a Kerberized Data Source

SAS Grid Manager and Kerberos Authentication

Identity Management In Red Hat Enterprise Linux. Dave Sirrine Solutions Architect

Data, Avdeling for ingeniørutdanning, Høgskolen i Oslo

Overview of Kerberos(I)

Replay Caching is a Pain

--enable-gss Strong authentication in Lustre&friends

Kerberos and Active Directory symmetric cryptography in practice COSC412

Cross-realm trusts with FreeIPA v3

The Kerberos Authentication Service

Internet Engineering Task Force (IETF) Request for Comments: 8000 Category: Standards Track. November 2016

Trusted Intermediaries

AIT 682: Network and Systems Security

2 SCANNING, PROBING, AND MAPPING VULNERABILITIES

NFSv4 and rpcsec_gss for linux

MIT Kerberos & Red Hat

NFSv4 Open Source Project Update

"Charting the Course... Enterprise Linux Security Administration Course Summary

SSSD. Client side identity management. LinuxDays 2012 Jakub Hrozek

Dell EMC Unity Family

SDC EMEA 2019 Tel Aviv

FreeIPA - Control your identity

Cryptography and Network Security

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Updates from MIT Kerberos

Linux with Active Directory

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA. Alexander Bokovoy Red Hat Inc. May 4th, 2017

NFS version 4 LISA `05. Mike Eisler Network Appliance, Inc.

NFS Version 4 17/06/05. Thimo Langbehn

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1810

Administring NFSv4 with Webmin

review of the potential methods

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Kerberos. Pehr Söderman Natsak08/DD2495 CSC KTH 2008

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1811

NFS on Steroids: Building Worldwide Distributed File System Gregory Touretsky Intel IT

IMPLEMENTING HTTPFS & KNOX WITH ISILON ONEFS TO ENHANCE HDFS ACCESS SECURITY

NFSv4 Multi-Domain Access. Andy Adamson Connectathon 2010

Integrating a directory server

Likewise Open provides smooth integration with Active Directory environments. We show you how to install

The Kerberos Authentication System Course Outline

FreeIPA and SSSD. Free software identity management. Red Hat Developers Conference Jakub Hrozek Martin Nagy September 14, 2009

Kerberos on the Web Thomas Hardjono

Windows 2000 Conversion Wrapup. Al Williams Penn State Teaching and Learning with Technology SHARE 98, Nashville, TN Session 5822

Network Security Essentials

TIBCO ActiveMatrix BPM Single Sign-On

AUTHENTICATION APPLICATION

KERBEROS PARTY TRICKS

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

CPSC 467b: Cryptography and Computer Security

Subtitle: Join Sun Solaris Systems to Active Directory with Likewise

Escape from the Identity crisis with FreeIPA

Kerberos for the Web Current State and Leverage Points

FreeIPA. Directory and authentication services the easy way. Christian Stankowic. Free and Open Source software Conference

NFS: The Next Generation. Steve Dickson Kernel Engineer, Red Hat Wednesday, May 4, 2011

PSUMAC101: Intro to Auth

Windows Authentication With Multiple Domains and Forests

RBAC in Solaris 10. Darren J Moffat Staff Engineer, Networking & Security Sun Microsystems, Inc. 7 th October 2004

Kerberos MIT protocol

How to Connect to a Microsoft SQL Server Database that Uses Kerberos Authentication in Informatica 9.6.x

The Important Details Of Windows Authentication

MCSA Windows Server A Success Guide to Prepare- Microsoft Configuring Advanced Windows Server 2012 Services. edusum.

Network Security: Kerberos. Tuomas Aura

Setting Up Identity Management

Active Directory Attacks and Detection

Configuring SSL. SSL Overview CHAPTER

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

DoD Common Access Card Authentication. Feature Description

Radius, LDAP, Radius, Kerberos used in Authenticating Users

How to Integrate an External Authentication Server

HP Operations Orchestration Software

The Evolution of the NFS Protocol:

Spring Security Kerberos - Reference Documentation

US FEDERAL: Enabling Kerberos for Smartcard Authentication to Apache.

ISILON ONEFS WITH HADOOP KERBEROS AND IDENTITY MANAGEMENT APPROACHES. Technical Solution Guide

ZENworks 11 Support Pack 4 User Source and Authentication Reference. October 2016

NAC Appliance (CCA): Configure and Troubleshoot the Active Directory Windows Single Sign On (SSO)

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

Technical Brief. Network Port & Routing Requirements Active Circle 4.5 May Page 1 sur 15

Network Security (NetSec)

Transcription:

Deploying Secure NFS Nicolas Williams Staff Engineer Sun Microsystems, Inc. nicolas.williams@sun.com Page 1 of

Secure NFS Background A Brief History Protocol In the beginning, no security AUTH_SYS, AUTH_NONE (1984) First attempts at security AUTH_DH (1987) AUTH_KERB (1992) RPCSEC_GSS (1997) Generic, pluggable, extensible Page 2 of

Secure NFS Background A Brief History Implementations SunOS 4.x, AUTH_DH (1987) Solaris 2.6, SEAM (2000) RPCSEC_GSS, Kerberos V available as Sun Enterprise Authentication Mechanism Since then Solaris support has improved; Linux, Hummingbird, NetApp, and others have added support for RPCSEC_GSS Page 3 of

High-Level View Step one: key distribution Plan, deploy Kerberos V Realm(s) KDCs Host keying NFS, other services, clients* User keying (password migration) Step two: secure the actual shares share -o sec=sys share -o sec=krb5i Page 4 of

Deploying Kerberos V Planning Realms Plan krb5 realms along boundaries of current administrative domains One IT dept. one realm Name realms after DNS domains No need for a realm for each sub-domain Kerberos V has not be internationalized So only ASCII-only realm names work for now! Page 5 of

Deploying Kerberos V KDC Infrastructure Plan number of KDCs, topology, replication One or two KDCs per-supported site No need for big iron for KDCs Physical security Kerberos V KDCs are trusted third parties that share secret keys w/ all principals KDC theft is a Bad Thing Page 6 of

Deploying Kerberos V Key Distribution Key your services nfs/<hostname.fqdn>@<realm> host/<hostname.fqdn>@<realm> Where necessary*, key your clients host/..., root/...* Give users Kerberos V principals and passwords <username>@<realm> Page 7 of

Securing NFS Shares NFS Security Flavors AUTH_* (NONE, SYS, DH) RPCSEC_GSS GSS-API mechanism, protection level, QoP krb5 Kerberos V, authentication only krb5i Kerberos V, integrity protection krb5p Kerberos V, privacy protection dh MECH_DH, authentication only SPKM, LIPKEY Page 8 of

Securing NFS Shares Throwing the Switch Server must be keyed Relevant users must be keyed Sometimes clients must be keyed also Flip switch per-share Multiple sec flavors OK, but make no sense sec=krb5i:sys as insecure as sec=sys sec=sys:krb5 fine for testing Mind the server's defaults! Page 9 of

General Notes Careful with that Ax Eugene Compatibility Principal user mapping Credential management Enctypes NFS sec flavor negotiation Upkeep Page 10 of

Compatibility Notes Not Too Bad NFS interoperability is really good But, several different KDC admin protocols, tools don't help ktadd not very interoperable yet Workaround: create 'keytabs' on compatible client, copy to incompatible target Several different Kerberos V password-changing protocols Most support one particular such protocol Page 11 of

Principal Mapping A Server-Side Issue Windows 2000 and up uses Kerberos V principals as usernames But mapping may still be needed for principals from non-windows realms Where this is not so (e.g., Solaris, Linux), principal user mappings are needed Page 12 of

Principal Mapping Linux, Solaris, use gsscred table and/or krb5.conf mappings NetApp maps user principals in server's default realm to files, NIS, or LDAP users, as per config root principals mapped to uid 0 per-root exportfs option Check your server's docs Page 13 of

Credential Management Yes, Network Credentials Should Expire Credentials represent users, clients, services Kerberos V lacks revocation facility, relies on short ticket lifetimes Stolen creds impersonation Disabling principals So creds should have short, finite lifetimes Page 14 of

Credential Management Dealing w/ Ticket Expiration Platform support can help Auto-renew Kerberos V tickets Auto-re-delegation of tickets Auto-refresh Kerberos V tickets At screen unlock time, say, or on-demand if passwords are cached Medium-lived TGTs (say, 7 days), short-lived service tickets (say, 30 min.) Page 15 of

Enctypes Get this Right Make sure that your host service principals have keys for only the enctypes they support Make sure that your user principals have keys for the strongest enctypes supported by the hosts they log into with passwords Page 16 of

Secure NFS Negotiation More on Throwing the Switch Multi-user timesharing clients typically mount with one NFS security flavour, thus the need for per-share/mount flag days Specify one on mount or let one be negotiated Whichever you get applies to all users on client Details of negotiation may be implementation specific (see later slide on Solaris 10) Be aware of how your clients negotiate NFS sec flavours, if not specifying one on the client-side Page 17 of

And After Deployment? Upkeep Key new hosts/services, users Revoke old ones Install decent password quality policies Even before deploying! Mind your KDCs! Page 18 of

Secure NFS Client Availability by Platform Linux 2.6, check your distro Fedora core 2 FreeBSD 5.2, OpenDarwin AIX 5.3 Solaris 2.6 and up Windows 2000 and up Hummingbird NFS Maestro 8.0 and up Page 19 of

Secure NFS Server Availability by Platform Linux 2.6, check your distro Fedora core 2 AIX 5.3 Solaris 2.6 and up Windows 2000 and up Hummingbird NFS Maestro 8.0 and up NetApp ONTAP 6.2 Page 20 of

Kerberos V KDC Availability by Platform Windows 2000 and up ActiveDirectory Cybersafe Runs on Windows, Solaris AIX, HP/UX AIX 5.1 and up Solaris 2.6 and up cont. Page 21 of

Kerberos V KDC Availability by Platform Linux distros, *BSDs, open source MIT krb5 Heimdal Shishi (GNU) Page 22 of

NFSv4 Availability by Platform Linux 2.6, check distros Fedora core 2 and up Windows 2000 and up Hummingbird NFS Maestro 8.0 and up Solaris 10 AIX 5.3 FreeBSD 5.2 and up Page 23 of

Secure NFS, Kerberos, on Solaris Availability by release What's new in Solaris 10 Client keying requirements in Solaris 10 Deployment tips and tools NFS sec flavor negotiation Page 24 of

Availability by Solaris Release NFSv3 Solaris 2.5.1 RPCSEC_GSS, GSS-API, Kerberos V mechanism Unbundled in 2.6, bundled in Solaris 8 NFSv4 Solaris 10 Page 25 of

Availability by Solaris Release Utilities, KDC Unbundled in 2.6, bundled in in Solaris 9 Kerberized telnet, r-cmds, FTP Unbundled in 2.6, bundled in Solaris 10 Secure Shell w/ GSS-API support Solaris 10 Page 26 of

What's New in Solaris 10 With Respect to Kerberos V Support Kerberos V improvements New crypto: 3DES, RC4, AES Solaris Cryptographic Framework Resync'ed with MIT krb5 1.2.1 + much of 1.3 KDC exchanges over TCP, IPv6 support, much more Better deployment tools Page 27 of

What's New in Solaris 10 With Respect to NFS Support Relaxed host keying reqs for clients No need for root principals (except for share -o root=<list> uses) No need for host principals on single-user clients; host/<random> also OK for road warriors Improved principal to user mapping NFSv4 Secure NFS Clustering Page 28 of

Solaris KDCs Planning KDC Infrastructures One master, multiple slaves One or two per-supported site Big iron is not needed for KDCs Use Incremental Propagation (iprop) for fast synchronization with master KDC Incremental Propagation is new in Solaris 10 Page 29 of

Deployment Tools: kclient Configuring and Keying Servers, Clients kclient(1m) More functional than sysidkrb5(1m) Set up krb5.conf(4) from profiles Keys clients, servers with kadmin(1m) Page 30 of

PAM Configuration Configuring PAM to Use Kerberos V Read docs :) pam.conf(4), pam_krb5(5), pam_krb5_migrate (5), AnswerBook Design a PAM config for relevant services pam_krb5 required? sufficient? binding? See examples in pam_krb5(5) Deploy pam.conf changes Page 31 of

Deployment w/ Solaris User Password Migration Enable automatic user migration in master KDC's kadm5.acl(4) Enable automatic user migration in clients' pam.conf(4) by adding pam_krb5_migrate(5) Watch users automatically get Kerberos V principals Use kadmin policies to force password aging Page 32 of

*Notes on Client Keying It's Easier Now Time sharing clients should have host principals For user authentication For some per-nfsv4 mount state (clientid) Single-user (home, laptop) systems can do w/o root principals Required pre-solaris 10 Now required only for root-equivalent access Page 33 of

Secure NFS Negotiation Things Worth Knowing When mounting w/o sec option, client picks 1 st from server offering for which credentials are available [Solaris 10] for the user that triggered the mount [per-solaris 10] for the client's root principal One sec flavor per-mount All users on client are affected; relevant users must have credentials, else they get EACCES Page 34 of

Secure NFS Negotiation A Word About Solaris' nfssec.conf(4) nfssec.conf(4) 'default' entry provides default sec flavor for share commands And for WebNFS (v3) mounts NFSv3 clients negotiate only sec flavors listed in nfssec.conf NFSv4 clients ignore nfssec.conf(4) Page 35 of

What About MECH_DH SecNFS w/ the Sun DH GSS Mech Really, don't use DH This slide is here for completeness, and to show similarity with Kerberos V deployment Step one: key distribution Deploy LDAP directory Key all hosts and users Step two: secure the actual shares share -o sec=sys share -o sec=dh Page 36 of

What About MECH_DH Deploying w/ AUTH_DH/MECH_DH AUTH/MECH_DH issues Authentication only, no transport protection Tiny keys for NIS, files backends Larger keys only for NIS+ (EOLed), LDAP Deployment story is similar to Kerberos V But more difficult in some ways Limited support only* Sun implements it Use Kerberos V instead Page 37 of

Q/A Page 38 of

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback