Full Disclosure mailing list archives
AFS - The Ultimate Sulution?
From: Paul Sebastian Ziegler <psz () observed de>
Date: Thu, 14 Sep 2006 23:00:46 +0200
Hi list, recently I found myself in an argument which I found interesting. This is why I want to pass it on to the list since neither me nor my friend were able to agree on this. Maybe the broader knowledge of this list will lighten up the matter a bit. Apart from this I think it might interest many of you. Core of the discussion is a corporate system with several workstations all attached to a single network. This network runs an AFS-server which is supplying the corporation's AFS-cell. Every workstation boots into a minimal environment which ask for username and password. Afterwards it uses these to connect to the AFS-Cell and boots one of several available System-Images which reside on the AFS-Server. (Both Linux (FC1) and Windows (2000) Images are available). After booting the OS several important folders and files are replaced with the user's own data (which only he can access due to Kerberos authentication). For instance the Linux image gets /etc/passwd, /etc/shadow, /home/$USER and some others replaced. The custom /etc/passwd and /etc/shadow will only contain the user himself and the root-account in order to prevent bruteforcing the passwords. It seems like this system is quite secure. Even if an attacker should gain root-access locally he would not be able to access anything he didn't own in the first place. (So to say other user's files residing in their private AFS folders.) Also he could cause no destruction to the system because the system is booted from the same Image every time. Even if he did something like rm -rf / he would only delete his private files in the home-folder. This is kind of a combination of RemoteBoot and AFS. The well known weakness of RemoteBoot is that - set the case the communication between the image-server is not encrypted - it is possible to supply forged images to the workstation. (E.g. by ARP-Spoofing the image-server.) AFS however uses Kerberos to authenticate and thus is considered secure. Now my friend claims that this system could go unmanaged for ages since the user's data would remain secure even if security holes were published and exploits released. This seems true. However I kind of refuse to believe that something this simple can truly be secure. The only hole I could come up with is that there would be a remote vulnerability which an attacker would use to access the running workstation of somebody else. However this seems unlikely and quite lame. Anyone up for anything more sophisticated? Thanks in advance and happy arguing. Paul _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- AFS - The Ultimate Sulution? Paul Sebastian Ziegler (Sep 14)
- Re: AFS - The Ultimate Sulution? Denis Jedig (Sep 17)
- <Possible follow-ups>
- Re: AFS - The Ultimate Sulution? マグロ原子 (Sep 20)
- Re: AFS - The Ultimate Sulution? Paul Sebastian Ziegler (Sep 20)
- Re: AFS - The Ultimate Sulution? Siim Põder (Sep 20)
- Re: AFS - The Ultimate Sulution? Valdis . Kletnieks (Sep 20)
- Re: AFS - The Ultimate Sulution? Brian Eaton (Sep 20)
- Re: AFS - The Ultimate Sulution? Valdis . Kletnieks (Sep 20)
- Re: AFS - The Ultimate Sulution? Paul Sebastian Ziegler (Sep 20)