Date: Wed, 23 Sep 1998 22:27:29 +0200 From: Mark Murray <mark@grondar.za> To: committers@freebsd.org Subject: Security and other facilities at WC CDROM - the plan. Message-ID: <199809232027.WAA19326@gratis.grondar.za>
next in thread | raw e-mail | index | archive | help
Hello folks
With the large number of _very_ distributed users using the FreeBSD
machines at WC CDROM, system administration is becoming a nightmare,
and as a by-product, security is becoming increasingly difficult
to police and manage. We have had some _nasty_ security scares
recently, and it is a matter of time before some jerk _really_
breaks things.
WC CDROM is a high-visibility site (So is FreeBSD), and the unwelcome
attention of crackers needs to be proactively addressed.
Jordan and Mike (Smith) have asked me to help reduce the system
administration burden and improve security, and it is with this
that I am now approaching you.
The plan is this:
1) to set up a high-security NIS server which will be the ONLY
container of passwd(5) account information for FreeBSD committers.
2) NIS has its own set of security problems, so these maps will
not contain user passwords; instead, other more secure systems
will be used to provide user authentication:
a) Those users who use ssh and have set up a no-password login
will continue to enjoy that facility.
b) Users who prefer to use telnet will need to use kerberised
telnet. Non-kerberised FTP will cease to work (except for
anonymous ftp), and POP will no longer accept your login
password (Preferring KPOP or APOP). Kerberos 5 will be
used. SSH port forwarding of FTP and POP ports is
encouraged.
c) Users may use One-Time-Passwords (S/Key, OTP, OPIE) for
Telnet/FTP/POP. This will be reviewed often, and restrictions
may be added later as it opens up the telnet daemon.
d) rcp/rlogin will break, as we will be using Kerberos 5, and
the r-utils standards are not universal enough.
3) User home directories will be auto-mounted to the machine you log
into from your (FreeBSD) home dir using AMD. (This is a local
mount at WC CDROM, not from your home/work box!)
This is an advance warning of intentions. Action is going to be
swift.
I request now that you consider any implications that this may have
for your preferred connection method, and approach me with suggestions,
improvements, concerns and/or questions. Lets get these sorted out
NOW. Because of the "almost-break-ins", we are moving fast.
M
--
Mark Murray
Join the anti-SPAM movement: http://www.cauce.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809232027.WAA19326>