[9fans] 9grid

["Steve Simon" <steve@quintile.net>]

Hi,

First I wish to apologise as this will offend some people.

Am I the only one who is horrorfied at the lack of security
implied by the two recent cross domain authentication proposals?
I applaud any well written code for plan9 but I don't feel either
are ready for production.

The single central auth server approach uses the
outside.plan9.bell-labs.com auth server allowing anyone who has
a sources account (I.E. anyone who wants to), to attach to grid nodes
and run arbitary software, and read any world readable files
on any node. Ok Plan9 is more secure than some OS's but I wouldn't
allow just _anyone_ access to my machine.

There is no trust relationship with the users. Even if accounts where
explicitly enabled on demand and not by default there is still the problem
of how can an adminstrator on one side of the world trust an unknwon
user on the other side?

The system that delegates authentication to remote, trusted servers
requires the node adminstartor to explicitly set up this trust relationship
so there is much more control here. The adminstrator of each remote authdom
retains responsibility for the actions of their users on remote hosts,
thus we have a distributed system of trust; users would connect to their local
grid node to access the grid as whole, at least here we have a chance that
the adminstartors may know and trust their users who they allow onto the grid.

Unfortunately in the current implementation, exchanges between the auth
servers rely on DNS for mutual authentication. Given knowledge of a valid peer
node's domain name DNS poisining atttacks could easily allow a malacious user
access to all grid node; The once secure Plan9 OS is now wide open.

I can think of only two other possible structures for the grid.

1/ Shared private keys between N grid node's auth servers, these secrets
are used to ensure mutual authentication between auth servers and would
prevent the DNS posioning attack above. Unfortunately this would need 2N
secrets which must be securely distributed.

2/ Public Key encryption to secure the channel between auth servers. This
would need only N public keys, which could be distributed in the clear;
A central Certification Authority would not be needed as plan9 already has
a distributed file system, the certificates _are_ files.

Russ sugested that the certificates could have timestamps allowing remote
users to be proxy authenticated by a local auth server until an expiry timeout
has been reached, at which point an authoratitive certificate would have to be
fetched. This would be a very significant win over long-hall networks.

The solution to 9grid authentication seems clear to me.

Next we need some way to stop grid users hogging too much of a nodes
cpu capacity, network bandwidth, disk space, and to stop them posting spam
or organising DDoS attacks...

-Steve