• shell • socket • User Identifier UID

Chapter 12: Unix Network Security

This chapter covers the major contemporary Unix network security mechanisms. There are a number of obsolete Unix protocols and security mechanisms that are not discussed here because they are no longer used—either because better alternatives exist now or because their security was weak and is now considered compromised. This chapter provides an overview of the basic network security mechanisms available to Unix including their relative merits, security posture, and administrative difficulty. It’s not possible to cover the configuration or administration of these protocols in a single chapter, but pointers to other resources for configuring them are provided. Unix Network Security Basics Standard Unix ATT System V does not include facilities to implement either single- signon one password and user account in the network or pervasive network security. Security accounts are only valid on individual machines, machines do not “trust” other machine’s accounts per se, and every network service implements its own security mechanisms. Unix security is similar to Windows “Workgroup” mode security in this respect, where trust amongst machines does not exist. Also consider that no true universal network file system exists in Unix. While Windows has had “Windows networking” since its inception to allow for file and print sharing, Unix did not have anything that could be called a standard file sharing mechanism until the early nineties, when NFS became the de facto file sharing standard. Prior to that, FTP was the closest thing to a file sharing standard, but it only allowed for copying files, not mounting and using them remotely. Without a standard network file sharing mechanism, there was little point in having a single network logon—traversing machines wasn’t that much of an issue. But as networks of single- user computers became popular in the late 1980’s, Unix began to show its age. Of course, numerous solutions to these problems have cropped up in the 30 years since Unix was developed. Originally, network access simply meant connecting to a Unix machine using a terminal application and logging in using a local user account. This method is still used by telnet, remote shell, secure shell, and numerous other remote logon protocols. remote logon The process of logging on to a remote machine in order to execute software on it. When Sun developed the Network File System and Network Information System, they simply adapted Unix security to a network environment. In these situations, all machines share a central account database, but they log on locally using these accounts. Because UIDs are synonymous throughout the network supposedly, this mechanism was relatively