[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security (ugh, Again?)



    Date: Fri, 25 May 90 15:40:00 EDT
    From: MILLER@vax.cam.nist.gov (Bruce R. Miller)

    Date: Fri, 25 May 90 15:37 EDT
    To: slug%ai.sri.com@vax.cam.nist.gov
    Message-ID: <19900525193734.2.MILLER@ARTEMIS.cam.nist.gov>


    Without getting  into  a  debate  about  whether Unux systems really are
    secure or not; Hey, I dont even like passwords, security etc.  But, I'ld
    like to do something to make our lispms more secure & accessible in some
    appropriate combinationq; apparently  its not  too hard  to have  either
    extreme, but in the middle?

    What I've got in mind is something vaguely resembling the unux approach;
    at least our management would feel comfortable; `it looks secure' and
    such.  Also, the fewer times you have to say `well these machines dont
    work like that' the better off you are (even if they work better!)

Telling them that these machines work like macintoshes.

    The ACL setup doesn't seem to match the model I'm looking for;
    and since somebody reported that they couldn't un-install it, I'm
    hesitant to experiment with it! 

    For example; I would to have the following `features'
      1) To access a machine (telnet or console) you've GOT to log in and
    give a password.  Chris sent a nice hack which uses the firewall stuff
    to disable select & friends and wont let anything happen till the user
    is logged in. But it uses ACL to get the password, which uses the LOCAL
    FS (some of our's dont have FS and also the passwords on different
    machines diverge). 

    [TANGENT: What's the deal with Firewall?  It's in SYS:UNSUPPORTED; in rel
    8! Did it die?  Also there are .bin's but no .ibin's; Does it NOT work
    on Ivories?] 

      Ideally, I could look up  passwords using Yellow pages?  at  least for
    logging into some machines: I've got one machine that could  concievably
    supply a  service  (macsyma)  to  all  users  on our lan, including unux
    users.  It would  be nice  not to  have to  duplicate the sysadmin tasks
    already done by the  sun people.  BTW,  the macsyma machine  in question
    has no FS.

    Anybody got YP code working? (is it part of NFS? would one need NFS to
    implement it?... Presumably I need NFS to set the homedir for these
    users anyway.)  

I strongly suggest getting the NFS layered product if you have UNIX machines
machines at your site.  It gives you capabilities like 

-Storage of systems on a UNIX file server, but still keeping the versioning
 features of SCT.  Here at MIT we are storing all of our Release 8 sources,
 fonts, and documentation on a UNIX file server.

-RPC over UDP and TCP between your UNIX machines and your Symbolics 
 Machines.

-Yellow Pages access.

If you have Release 8 Symbolics NFS, a yellow pages lookup for a user's
encrypted password would simply be:

(rpc:username->password
  (rpc:host-unix-name-lookup-access-path
    net:*local-host*)
  username)

The only problem is the password encryption part.  In Release 8.1 Symbolics
NFS will include password encryption code and it will check passwords.  With
it to check a password you would do something like this:

(multiple-value-bind (encrypted-password user-unknown-p)
    (rpc:username->password
      (rpc:host-unix-name-lookup-access-path
	net:*local-host*)
      username)
  (and (not user-unknown-p)
       (string= encrypted-password 
                (rpc::unix-crypt password encrypted-password))))

If you ask the Software Support people real nicely, they might be able to
forward you all the 8.0 Network RPC ECOS and a copy of the patch so you can
get password checking sooner.

    At any rate, ACL has a password table per FS rather than `site wide'
    such as YP. Also, apparently the sysadmin must set passwords rather than
    the users.

     2) By default (and without extra passwords) all (or most) lmfs directories
    should be readable, listable.. by a regular logged in person, but not
    writable. 

     3) on the other hand, good ole' superuser me should be able to do
    anything. Ok, I'm willing to type in an extra password for that...

     4) Probably other stuff I haven't thought of too.


    It seems that ACL, by itself,  doesn't answer the right questions;  some
    combination of ACL & YP would appear to fit better.  Or is it better  to
    avoid ACL  altogether?   Note  that  I  haven't  even installed TCP yet,
    perhaps that experience will clarify some of the issues for me.

    Any help, suggestions, philosophy, and of course, code, would be very
    welcome. 

    Bruce
    miller@cam.nist.gov