DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 7th February 2021
flown flown is offline
New User
 
Join Date: Jan 2021
Posts: 2
Smile Windows Clients, KerberosV5 and dns platform mixup

Dear Community,

Beloved, I have a quick problem that seeks experience.

I have a just installed OpenBSD ver6.8 assuming a full disk and I already setup my nfs and ntpd (All I wanted was kerberos for authentication to nfs server).
I understand now that I have to deploy a DNS for kerberos to work. Well, I have a Windows Server that isn't doing much. I could turn on its dns feature and make it a DNS server. Or I could (can I) setup dns on my OpenBSD and co-host it with kerberos?.

ntp_server --> OpenBSD_6.8
nfs ---> OpenBSD_6.8
kerberos V5 --> OpenBSD_6.8
dns --> Windows or OpenBSD_6.8
nfs clients platform --> Windows OS

My question in summary:


1. Can Windows clients' use kerberos tickets to authenticate nfs and also authenticate Windows applications?
2. Will co-hosting my dns-server with nfs, ntp and kerberos (on OpenBSD) compromise security in some ways. Or in general, how can I make this sort of system as clean as possible?
Thanks in anticipation
Reply With Quote
  #2   (View Single Post)  
Old 7th February 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Hello, and welcome!
Quote:
Originally Posted by flown View Post
Or I could (can I) setup dns on my OpenBSD and co-host it with kerberos?.
OpenBSD has two built-in DNS servers: 1): unbound(8) for local network services, and nsd(8) if an Internet-facing authoritative DNS server is needed.
Quote:
Will co-hosting my dns-server with nfs, ntp and kerberos (on OpenBSD) compromise security in some ways. Or in general, how can I make this sort of system as clean as possible?
The Heimdal implementation of KerberosV was included as a built-in facility for OpenBSD from Release 3.0 through Release 5.5. It was removed from the OS for Release 5.6, primarily from developer concerns about its code quality and code complexity, and lack of use by the developer community. It was converted to a third party package for Release 5.6, and remains an available package to this day.

I have never used KerberosV in any production environment nor reviewed the source code, so I have no personal opinion on its use. But theo@ has compared it's quality to that of pre-Heartbleed OpenSSL, so that would have me looking for alternative privacy mechanisms to protect NFS.

At different times I've used both IPSec and 802.1Q VLANs to isolate NFS networks, and if I needed to deploy protected NFS again I would use VLANs on wired networks or a WireGuard VPN over WiFi. WireGuard is vastly simpler to deploy than IPSec. And, OpenBSD has a built-in WireGuard implementation in the kernel -- the wg(4) driver.

Last edited by jggimi; 7th February 2021 at 12:06 PM. Reason: clarity
Reply With Quote
  #3   (View Single Post)  
Old 10th February 2021
flown flown is offline
New User
 
Join Date: Jan 2021
Posts: 2
Default Windows Clients, KerberosV5 and dns platform mixup

Thanks you jggimi,

Oh my! I had typed a response since I read your answer. I apparently didn't hit the Post button. Forgive me for the late reply please.

Foremost, thanks for the note on Heimdal. I detest complexity!

Maybe I should make use of IPSec with Samba in place of NFS.

Thanks again.
Reply With Quote
  #4   (View Single Post)  
Old 10th February 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by flown View Post
I detest complexity!

Maybe I should make use of IPSec...
IPSec is quite complex. Due to that complexity the provisioning burden can sometimes be complex also. Just ask any admin who has ever had to develop and deploy an ISAKMP/Oakley KeyNote Policy for IKEv1. Or any admin who has ever missed a minor provisioning mistake in an IPSec flow and accidentally routed private communication between endpoints over plaintext instead of having that traffic being encapsulated and encrypted.

To help with IPSec deployments, the OpenBSD FAQ has a chapter on VPN provisioning IPSec with either IKEv2 or IKEv1/L2TP. Right now, the chapter just mentions WireGuard and has a link to the driver's man page.

As I mentioned above, I prefer VLANs whenever they can be deployed over any form of VPN, and when VPNs are needed my current preference is for WireGuard over IPSec due to its clear administrative simplicity.
Reply With Quote
Reply

Tags
dns, kerberos, nfs, ntp, windows clients

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Tox clients in OpenBSD? Nureo OpenBSD Packages and Ports 11 29th April 2018 01:05 PM
evdo on server: clients can ping www, but not browse amorphousone OpenBSD Security 2 24th September 2010 04:56 AM
torrent clients are driving me nuts graudeejs FreeBSD General 28 9th January 2009 12:43 PM
FreeBSD server, Windows clients, daily backups Weaseal FreeBSD General 4 25th December 2008 05:50 PM
Exempting clients from AuthPF Kristijan NetBSD Security 1 12th July 2008 12:09 AM


All times are GMT. The time now is 07:02 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick