<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
 <TITLE> Coda Authentication and Protection: Authentication to the fileserver </TITLE>
 <LINK HREF="sec-4.html" REL=next>
 <LINK HREF="sec-2.html" REL=previous>
 <LINK HREF="sec.html#toc3" REL=contents>
</HEAD>
<BODY>
<A HREF="sec-4.html">Next</A>
<A HREF="sec-2.html">Previous</A>
<A HREF="sec.html#toc3">Contents</A>
<HR>
<H2><A NAME="s3">3. Authentication to the fileserver </A></H2>

<P>
<P>
<H2><A NAME="ss3.1">3.1 Authenticated connections in Venus and Vice </A>
</H2>

<P>
<P>When a client establishes a new connection this is done in
userent::Connect. The userent class knows the secret token and if it
is still valid.  An authenticated bind is attempted.  If it fails the
client removes the tokens. 
<P>The request arrives in the ServerLWP routine where it is calling
RPC2_GetRequest. This time the hook to get the keys is the routine
GetKeysFromToken. The secret token included with the clients bind
request is decrypted with the tokens found in auth2.tk and
auth2.tk.BAK.  The latter allows the server password to be changed
without the server having to be restarted.
<P>The fileserver will attach a current protection subdomain (see below)
to a ClientEntry when it executes the CheckSemantics calls.  This is
only done for authenticated connections. 
<P>
<H2><A NAME="ss3.2">3.2 Kerberos for Coda </A>
</H2>

<P>
<P>It is appropiate to end this section with a short discussion of the
things that need to be done to get kerberos to work with Coda. While
the detailed names and calling conventions will remain to be sorted
out the following summarizes the task.  We start by very briefly
reviewing Kerberos authentication. 
<P>Kerberos authentication is very similar to Coda authentication, with
one difference: the kerberos server, or Key Distribution Center gives
a Ticket Granting Ticket (TGT) which can be used to get specific
session keys for a variety of servers from the TGS (Ticket Granting
Service).  Once a user has authenticated to the KDC using kinit, is
given a TGT which kerberized applications use to get session keys for
client server connections.  
<P>The client is issues a session key encrypted with the secret the
server shares with the KDC as well as an unencrypted session key.  
<P>Instead of the dialogue with the auth2 server and the functioning of
clog the following will need to be done.  
<OL>
<LI> The user authenticates to the Kerberos KDC and acquires a TGT.</LI>
<LI> When Venus establishes a new connection to the server it checks
if it has a session key for this user. If not, it tries to acquire one
using the TGT which should be available on the machine. If the session
key is present but  has expired it does the same.  There is a standard
routine in libkrb.a to get this session key. </LI>
<LI> It now proceeds to connect to the fileserver using the Kerberos
DES encryption routine and the session key acquired from the KDC in
the normal fashion of auth2 bind. </LI>
<LI> The server must acquire the shared secret between the KDC and
the server to decrypt the packet coming from the client. Again there
is a standard routine in libkrb.a to get this key. DES decryption will
then give the client's request. </LI>
<LI> We now proceed as before using the kerberos session key instead
of the auth2 session key. </LI>
</OL>
<P>These modifications seem minor. <B>Warning:</B> the sizes of a variety
of structures may well be different in Kerberos and Coda. 
<P>
<H2><A NAME="ss3.3">3.3 Security holes to plug </A>
</H2>

<P>
<P>There are a variety of security holes that we need to plug in Coda:
<P>
<UL>
<LI> the most serious issue that needs to be addressed is to use
authenticated connections for the callbacks. A client should have an
option to be started and not accept OPENKIMONO connections for
callbacks. There seems no difficulty in implementing this. </LI>
<LI> It would be a good idea to kerberize the volutil and </LI>
<LI> advice monitor connections</LI>
<LI> dispose of the insecure tcp socket for mariner and replace it
with authenticated RPC2 connections.  </LI>
<LI> the failure package similarly should establish secure
connections only</LI>
</UL>
 
<P>Do we know of any other holes?
<P>
<HR>
<A HREF="sec-4.html">Next</A>
<A HREF="sec-2.html">Previous</A>
<A HREF="sec.html#toc3">Contents</A>
</BODY>
</HTML>