Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 6 Oct 2000 19:08:40 +0000 (GMT)
From:      Terry Lambert <tlambert@primenet.com>
To:        marko@FreeBSD.ORG (Mark Ovens)
Cc:        jcm@FreeBSD-uk.eu.org (j mckitrick), chat@FreeBSD.ORG
Subject:   Re: .net threat ?
Message-ID:  <200010061908.MAA20085@usr05.primenet.com>
In-Reply-To: <20001006182849.E252@parish> from "Mark Ovens" at Oct 06, 2000 06:28:49 PM

next in thread | previous in thread | raw e-mail | index | archive | help
> [ ... ] and Kerberos authentication (although they have slightly
> bastardized it by using an unused field without publishing it's use).

They used a reserved field in a way specifically noted as
being incorrect usage of the field by the author of the
field.

To be exact, they store an MS cookie there that can not be
used by a non-MS system, and can not be generated by a non-MS
system.

This is tantamount to storing an encrypted index key into the
Domain controller credential database, such that clients with
the key are treated differently (given additional services)
from clients without the key (denied additional services).

This means:

o	You can use an MS workstation as a kerberos client
	of MS kerberos, and get full service

o	You can use a MS workstation as a kerberos client
	of UNIX kerberos, and get decreased service

o	You can use an UNIX workstation as a kerberos client
	of MS kerberos, and get decreased service

o	You can use a UNIX workstation as a kerberos client
	of UNIX kerberos, and get decreased service

In other words, they are locking up the ability to provide the
domain controller associated services, and doing so in a standards
violating way.

This is different from merely "slighly bastardized", since if that
were the case, one could choose to "slightly bastardize" UNIX
kerberos clients and servers, and the problem would go away.  As
it sits, it's now just one more thing that SAMBA and kerberos
people will have to reverse engineer, and given the bludgeon of
money and the U.S. Civil court system (c.v. Microsoft v. Stacker)
this work will have to take place outside the U.S. to be safe
from litigation based supression of legally reverse engineered
compatability code.


> They've also added some Unixisms as well; the 'runas' command (similar to
> su(1)),

This is easy; I did this in NT 3.x using a program that called
"impersonate()" before creating a task ("fork(); exec()" in UNIX
parlance).

> you can boot to a single-user command line,

Not impossible in NT 3.x, either, just a pain.

> and you can mount disks (drive letters) on a directory a la
> mount(8) (although the dir *must* be empty, so no over-mounting).

Trivial even in Windows 95, actually, by hooking IFSMgr calls.  I
wrote code to do this back in 1996.

I suspect the "overmounting" prohibition came from the file
handle conversion code, since this would fail, without some
heroic measures, should a file be open in the subhierarchy you
are mounting over.  There are actually ways to work around this
(I wrote that code, too, to permit relocation of data from the
C: drive, where everything wants to install, in order to overcome
space limitations; as far as the code was concerned, it still
believed it was on the C: drive, when it was actually elsewhere).


					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010061908.MAA20085>