Message-Id: <199707281532.IAA21803@mailhost1.cac.washington.edu> From: "James W DeRoest" <deroest@cac.washington.edu> To: "AST Webpage" <astweb@u.washington.edu> Subject: Minutes from 07/09/97 Security Meeting Date: Mon, 28 Jul 1997 08:32:27 -0700
-----Original Message----- From: Yonah Karp <yonah@u.washington.edu> Date: Monday, July 14, 1997 3:05 PM Subject: Minutes from 07/09/97 Security Meeting
======== 07/09/97 Security Meeting ========
PRESENT
Donn Cave, Jim Fox, Brad Greer, Yonah Karp, Eliot Lim, Doug Luft, Ken Lowe, Tracy Stenvik, Lori Stevens.
NEXT MEETING
TBD, when necessary. In addition, there will be an NT security discussion at a future date after staff has attended NT trainings and conferences.
Kerberos news (Donn et al)
Niven02 is scheduled to go to 3737 on August 23.
K-ftpd is running where inetd.conf got installed, which is nearly everywhere. There are a few (to users) obscure places which don't have it, i.e. nineveh.
Eliot and Dave Dittrich want file access logging on ftp.u (saulfs02). The Kerberized ftpd currently on saulfs02 doesn't do this. Eliot will research a Kerberized wu-ftpd to do logging and will tell us what he puts where.
Donn reported that Cygnus Kerberos works fine for him on his Mac. Donn tried it on Zardoz, and it didn't like his "profile". He described the Kerbnet screen as "baroque." [Zardoz is an Intel box running Win 95.] Probably someone more familiar with/ interested in Wintel should test this.
Cygnus apparently provides support for pay and software for free.
Kerberos testing -- next steps
Yonah brought up the issue of removing local passwords. There was lively discussion about this. Her thinking is that we need to test how this might work in the UA world so the next step should be to test it on ourselves -- i.e. on melville. We need hidden, well-encrypted passwords, and the redundancy of having the shadow passwords on the system (even if the pw's are synchronized) is just a security hole.
Donn will research potential [deleterious] effects of removing passwords from melville and report back to us. Programs mentioned to look at include
xlock imap /bin/login /bin/tsm rexecd ftp
Brad suggested looking into removing programs that are rarely used (and for which alternatives are available), e.g. rexecd. This would get rid of other potential security holes.
Lori will check with Mark about the status of Kerberos in IMAP.
Should jedgar participate in this realm or not? Good open question.
NT
The new NT boxes which are being set up for multimedia use for UWTV came up. There are 6 boxes, 3 at 3737 and 3 at 4545.
We want to have a focused meeting about NT security, and will do so at a future date (after all of the NT trainings and conferences our staff will attend). Questions include:
Security in the kernel -- what is the security context (i.e. compared with Unix)?
What about auditing?
How do NT logging capabilities help?
What web pages are around which relate to NT security?
Services, acls, network security? User/ group model?
Misc
Jim Fox posited the idea that Kerberos is easy to break. All you have to do is say to the server: "I'm Donn, give me a ticket." The server gives you a ticket encrypted with Donn's password, and now you have all the time in the world to crack it.