Leopard and the Secure NFS Share

Posted on

One of the benefits of being an Apple Certified Trainer is that I get neat updates from the Apple training staff regarding all aspects of the OS. Today, I got an update from Apple on the UNIX compliant status of Leopard from their site here. While I knew that 64-bit processing was a big thing for Apple in general, and I knew that the new Terminal was a sweet deal, I didn't know they had made a change to NFS, namely to make it Kerberized.

For those of you not familiar with the NFS (Network File System), you may not know why the change to NFS is so important. Sure, single sign on is a great thing in principle, but what's the big deal, right? Well, let's take you through the world of NFS.

NFS is a UNIX native file sharing protocol used to quickly share files back and forth. What makes it so quick? There is no user name and password authentication. Authentication is done through the UNIX UID. This is great in a Directory-specified network where everyone has their own unique ID, but what if you are logging onto the file share from your locally authenticated machine? Chances are you are logging in from a UID assigned to your local machine that will be assigned to another user. Take this scenario:

Tech A creates his server, and shares his files with NFS. His first account he creates is the Administrator account, which was assigned the UID of 501 (standard Admin UID for Apple, by the way). He then creates various other accounts, starting at UID 1025 and going up.

Marketing Director A gets a new machine and creates their first account, which is again an Admin account for that machine and also assigned the UID of 501. They then connect to the file server Tech A created with their account. They don't have to worry about authentication, because NFS authenticates from the UID. In this case, the Marketing Director has Admin access to the file server. Problem? Yes, most definitely. Also considering that anyone that creates a local account on their machine, be they a director or lowly janitor.

Apple had seen this coming, and in Tiger Server made it possible to map all NFS connections to the nobody user, and make all access read only. That did some good, but still lacked the benefits and security of authentication.

Now enter Kerberos. Because of the Ticket system that it utilizes, and the fact that authentication is not necessary once the KDC has authenticated the user on the network, there is no speed reduction in authenticating through Kerberos for an NFS file share. It also adds just one more service that is Kerberized for a Mac OS X Server. I am hard-pressed to think of one service that is not Kerberized with the new Leopard install. This, and the fact that starting a Kerberos KDC is so easy to do with Mac OS X Server makes it a good choice with small to medium-sized businesses.

So, in the end, NFS has finally come full circle. Created initially as a method to quickly transfer files for server-level processing (i.e., imaging and thin-client use), it now has the ability of secure authentication though Kerberos. Of course, if you don't want to use Kerberos, you can still use AFP, SMB, or Kerberized FTP for your file sharing needs. ^_^