From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <5c6e493472c2a8aa4552a19e84a88a7a@quintile.net> From: "Steve Simon" Date: Wed, 8 Jun 2005 15:14:27 +0100 To: 9fans@cse.psu.edu MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: [9fans] 9grid Topicbox-Message-UUID: 5c7b1e2c-ead0-11e9-9d60-3106f5b1d025 Hi, First I wish to apologise as this will offend some people. Am I the only one who is horrorfied at the lack of security implied by the two recent cross domain authentication proposals? I applaud any well written code for plan9 but I don't feel either are ready for production. The single central auth server approach uses the outside.plan9.bell-labs.com auth server allowing anyone who has a sources account (I.E. anyone who wants to), to attach to grid nodes and run arbitary software, and read any world readable files on any node. Ok Plan9 is more secure than some OS's but I wouldn't allow just _anyone_ access to my machine. There is no trust relationship with the users. Even if accounts where explicitly enabled on demand and not by default there is still the problem of how can an adminstrator on one side of the world trust an unknwon user on the other side? The system that delegates authentication to remote, trusted servers requires the node adminstartor to explicitly set up this trust relationship so there is much more control here. The adminstrator of each remote authdom retains responsibility for the actions of their users on remote hosts, thus we have a distributed system of trust; users would connect to their local grid node to access the grid as whole, at least here we have a chance that the adminstartors may know and trust their users who they allow onto the grid. Unfortunately in the current implementation, exchanges between the auth servers rely on DNS for mutual authentication. Given knowledge of a valid peer node's domain name DNS poisining atttacks could easily allow a malacious user access to all grid node; The once secure Plan9 OS is now wide open. I can think of only two other possible structures for the grid. 1/ Shared private keys between N grid node's auth servers, these secrets are used to ensure mutual authentication between auth servers and would prevent the DNS posioning attack above. Unfortunately this would need 2N secrets which must be securely distributed. 2/ Public Key encryption to secure the channel between auth servers. This would need only N public keys, which could be distributed in the clear; A central Certification Authority would not be needed as plan9 already has a distributed file system, the certificates _are_ files. Russ sugested that the certificates could have timestamps allowing remote users to be proxy authenticated by a local auth server until an expiry timeout has been reached, at which point an authoratitive certificate would have to be fetched. This would be a very significant win over long-hall networks. The solution to 9grid authentication seems clear to me. Next we need some way to stop grid users hogging too much of a nodes cpu capacity, network bandwidth, disk space, and to stop them posting spam or organising DDoS attacks... -Steve