Thursday, November 20, 2008

Kerberos and the SCSECA Curriculum

I remember when I first took the Network Administrator (SCNA) Exam back in the Solaris 7 days, and I was frustrated by the depth of NIS / NIS+ content. NIS was widely used back in the day, and fairly intuitive. However, NIS+ was a bit of a niche, and its use dropped off like a rock on the Solaris 7 era. I think people really failed to enjoy all those key exchanges and inherant troubleshooting.

Long after NIS and NIS+ services were deprecated by the coming promise of LDAP their place in the curriculum was maintained. But of course, I learned it and passed the exam. Having recently passed the SCNA again for Solaris 10 I was pleased with its content. I was convinced that Sun had brought the canon into the modern era. Good stuff. But just when I thought it was safe...

I'm now finishing up my prep for the Sun Certified Security Administrator (SCSECA) and am finding myself frustrated by the presence of Kerberos on the SCSECA test curriculum.

Will the number of sites using Kerberos please raise their hands? Ah ha! We now know the answer to the question, "What is the sound of one hand clapping?". Ok, it's more than one, I know. It's not very many though... I'm really hoping that when I sit down to the test the questions are written to a depth proportional to the installed base.

I think there's a lot of great content that can be included on a Solaris security exam in place of esoteric solutions like Kerberos. I'd like to see the bulk of the SCSECA content focus on an SA's ability to implement and evaluate impact of the various checks in the CIS Solaris 10 Benchmark. The key of course is "evaluate" more than "implement." I'm amazed at how many people flip through checklists without understanding the implications of these reconfigurations, and I think the SCSECA content is a great opportunity to fix that problem.

But that's ok. I'll brush up on my Kerberos and maintain my historical acumen.


Thomas Stromberg said...

While the number of sites doing Kerberized NFS may be small, they tend to be rather large sites (universities, large corporations), especially if they have many desktop UNIX machines.

We've got a few thousand desktop machines here that are doing it. The only quirk I've experienced on the Solaris 10 side is that cachefs had some quirks with it's credential handling.

Even with servers, I think Kerberized NFS is pretty important for NFS home directories. You don't want joe schmoe on random test server being able to su to someone else and edit his home directory files. Worse yet, if OS patches & tools meant to be run by root are stored on this NFS server. :)

I do wish it was easier to setup though!

Mark D said...

Kerberos is critical, even in a smaller environment like mine. It's dead simple to set up, and allows for seamless integration between the Solaris and Windows environments. You get single signon over SSH, easy integration with Samba. You need Kerberos (with LDAP) to actually replace NIS+. I would suggest it is far more important than NIS+ ever was.

Christopher Hubbell said...

Not sure why you NEED Kerberos to replace NIS+ with LDAP. We use LDAP to provide OS maps and central log ons at my site without any Kerberos.

I'm not saying it's not necessary. I think it's important for an OS certification to give a good survey of features so people know all the things the OS can do.

It just seems to me that the emphasis on Kerberos was a bit heavy compared to other features which in my travels have been more prevalent. Maybe I'm just traveling in odd places!