The Distributed File Service/Network File System (DFS/NFS) Secure Gateway provides a mechanism for granting authenticated access to the DFS filespace from an NFS client. The DFS/NFS Secure Gateway allows users to access data in the DFS filespace from a machine that is configured as an NFS client but not as a DCE client.
To use the DFS/NFS Secure Gateway for authenticated access to DFS, you must configure at least one Gateway Server machine. A Gateway Server machine must be a DFS client in the DCE cell to which access is to be provided. One function of a Gateway Server machine is to export the root of the DCE global namespace, /..., via NFS. On each NFS client from which users are to access DFS, you then mount /.... All users of the NFS clients then have unauthenticated access to DFS.
The DFS/NFS Secure Gateway recognizes the @sys and @host variables on the NFS client system. This allows the Gateway system to resolve pathnames to binaries and other system-dependent files correctly, based on the user's login system name and system type.
The @host variable contains the name of the NFS client, as returned by gethostname(), that is accessing the DFS namespace. The @sys variable, which is a unique name derived from uname(), describes the machine architecture and OS type. Examples of @sys values include pmax_osf1 and rs_aix32.
The primary function of a Gateway Server machine is to provide DCE authentication to users of NFS clients. NFS users who have valid accounts in the registry database of the DCE cell authenticate to DCE to gain authenticated access to DFS. Depending on the needs of your users and the security considerations of your DCE cell, you can provide local authentication to DCE from Gateway Server machines, remote authentication to DCE from NFS clients, or both. Local and remote authentication work as follows:
· Local authentication to DCE from Gateway Server machines is provided via the dfsgw add command. With local authentication, you can allow users to issue the dfsgw add command to authenticate themselves, or you can control access to DFS by allowing only system administrators to provide authentication via the dfsgw add command. (The dfsgw command suite includes additional commands to provide for central administration from Gateway Server machines.)
Local authentication requires little configuration, but it provides a limited approach to authentication. Configuration consists only of installing the dfsgw commands on the Gateway Server machines. However, authentication requires either administrative intervention or remote access to the Gateway Server machine (via the telnet program, for example); the latter approach results in user passwords being sent over the network in the clear.
· Remote authentication to DCE from NFS clients is provided via the dfs_login command. With remote authentication, you allow users to issue the dfs_login command to authenticate themselves.
Remote authentication requires additional configuration, but it provides a less burdensome and more secure approach to authentication. Configuration consists of installing and configuring the Gateway Server (dfsgwd) process on the Gateway Server machines, installing the dfs_login command (and the dfs_logout command) on the NFS clients, configuring Kerberos on the NFS clients, and configuring the remote authentication service on both the Gateway Server machines and the NFS clients. However, authentication requires no administrative measures, and user passwords are never sent in the clear.
The dfsgw add and dfs_login commands both result in authenticated access to DFS from an NFS client. To provide a user with authenticated access, each command obtains a ticket-granting ticket (TGT) for the user from the DCE Security Service. The TGT is used to create a valid login context for the user. The login context includes a Process Activation Group (PAG), which DFS stores in the kernel of the Gateway Server machine. The PAG identifies the user's TGT; the TGT serves as the user's DCE credentials.
On the Gateway Server machine, an association is created between the UNIX user identification number (UID) of the user and the network address of the NFS client from which DFS access is desired. A mapping is then created between this pair and the PAG created for the user. The mapping is stored as an entry in a local authentication table (AT), which, like the PAG, resides in the kernel of the machine. The mapping provides the user with authenticated access to DFS from the NFS client.
Each mapping grants a user authenticated access only from the specific NFS client for which the mapping exists. For authenticated access from a different NFS client, a user must use the dfsgw add or dfs_login command to create a new mapping for that client.
A user's DCE credentials are good only for the lifetime of the TGT. The ticket lifetime is dictated by the registry database of the DCE cell. By default, each ticket receives the default ticket lifetime in effect in the registry database. The dfs_login command includes a -l option that can be used to request a different lifetime, but a requested lifetime is constrained by the policies in effect in the registry database. Once a user's TGT expires, the user must obtain new DCE credentials.
A user who wants to cancel authenticated access to DFS before the credentials expire can issue either the dfs_logout command from the NFS client for which the credentials were granted or the dfsgw delete command from the Gateway Server machine. Both commands remove the user's entry for the NFS client from the authentication table on the Gateway Server machine. Either command can be used to end the authenticated session, regardless of which command was used to obtain the credentials. Because the authentication table resides in memory, all authenticated sessions are terminated if the machine configured as a Gateway Server is rebooted.
The following two topics provide complete instructions for configuring Gateway Server machines and NFS clients to provide NFS users with either local or remote authentication to DCE. The final topic in this appendix provides detailed information about how users authenticate to DCE and how they access DFS from an NFS client.