[Cryptography] Transparent remote file access

Phillip Hallam-Baker phill at hallambaker.com
Mon Nov 27 10:59:27 EST 2017


All,

So I have been configuring my development machines so that I can use my
Windows box to cross develop to Mac and Linux. And so I have fstab files
filled with usernames and passwords to grant access. Which would be
unacceptable of course if the cross platform targets were not dedicated
build machines situated in the same physical space and under the same
administrative control.

But this approach is of course fundamentally unclean. The problem is, I
don't see anything that is more than a cosmetic improvement.

Yes, I can put the username and password information in a separate file
that is attached to the account rather than in my fstab. But that only
moves the problem a little

In theory, I could use an encrypted partition on my user account. But that
breaks when I try to invoke scripts on the build host remotely unless I
provide the password.

Something is broken here and I think it is because there is a fundamentally
difficult problem which I am not aware anyone has really solved yet. So I
am asking if someone can see a solution, that is a full solution and not a
workaround to the problem of logging into a remote machine and carrying
across all the privileges.

Kerberos solved some of these problems of course. But a Kerberos KDC has
absolute God level privileges to achieve that. If the KDC is ever
compromised you are hosed. Mallet is my sysop, I don't trust him. If I use
a KDC based on symmetric crypto, I give Mallet root access to everything.


What I want is to address scenarios such as the following without any
password based credential whatsoever. There might be a PIN to unlock a
private key but I don't want any password based credential or proof of
knowledge of a password to go on the wire.

*Scenario 1:*

Alice is sitting at host Machine1, she connects to Machine2 (e.g. by SSH).
She runs a script that reads files on Machine1 and deposits the result on
Machine3.

The sysops of Machines 1 through 3 are different. The sysop of Machine 1
could install software that could steal Alice's credential and make use of
it on Machines 2 and 3 but the sysyops of Machines 2 and 3 can only
compromise the data that passes through their own host, they cannot
compromise Machine1.

*Scenario 2:*

Alice writes a cron job to run at a particular time to perform an operation
on a particular set of files. on Machine 1.

​In this case, the machine has sufficient data to compromise the data
hosted. But the data should be secure if someone with physical access takes
the disks.​


​What I am looking for is not necessarily cryptographic enforcement of the
access controls.​ When faced with an insider threat, it is pretty much
inevitable that the data on that particular host is going to be hosed if a
user loads it into the memory space of some application.

But looking at recent attacks, I am seeing that a LOT of the threats we are
facing are coming from sideways contamination. The Russians attacked thirty
DNC staffers with phishing emails, they only compromised one and not the
machine that they were after. But once they were past the firewall, they
could hop from one machine to the next without difficulty.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20171127/f7402378/attachment.html>


More information about the cryptography mailing list