0

Imagine this simplified scenario: a small business has an owner, a bookkeeper, a part-time sysadmin and a few dozen employees; the company has an all-Linux LAN. (Most computers run Arch Linux.) No outside (WAN) access to the LAN is configured; LAN resources are available locally only.

It seems everything is cloud-based today, but I'm trying to understand this problem without initially having to consider the complexity of cloud-based resources or WAN access by remote or traveling employees.

The goal is to secure the resources on the LAN from unauthorized local access, especially by local users who can become root.

The sysadmin currently has root access to all computers. A select few employees have sudo rights on their computers. Currently, the sysadmin can access any and all resources on the LAN.

Now consider this new requirement: Other than the owner, the bookkeeper is the person who should have access to the financial resources of the company.

The sysadmin must be able to continue to administer all machines (from desktop support to operating system installation).

How can the the sysadmin to do his job while complying with the requirement of not having access to the financial information stored on the local fileserver, for example?

Is this what directory services such as LDAP or FreeIPA accomplish?

What is a simple way to solve the requirement described above for an overworked and under-trained Linux sysadmin?

If the requirement cannot be met 100%, what is the common practice at similar companies?

What is a simple way to implement a general authentication system along with a network file system that has encryption?

Some of the terms I have seen include FreeIPA, NIS, NIS+, LDAP, SSSD, Kerberos and more. I'm not clear on exactly how each of these might fit into the simple solution required in the scenario above.

(Bonus question: Once the above goal is accomplished, what -- in very general terms -- would need to change to begin extending this authorization and access control to WAN / remote clients?)

MountainX
  • 681
  • 3
  • 12
  • 25

1 Answers1

3

Kerberos (+ LDAP) + NFS(v4) with integrity and encryption is probably the way to go to secure your local network. Kerberos provides authentication for your users (preventing impersonation), LDAP centralized user management. Kerberos is also a requirement for NFS encryption and integrity options.

You can't easily prevent sysadmin with root access from gaining access to data hosted on the machines they administer. Files un-encrypted on disk can be extracted, network traffic can be sniffed before it is encrypted on the server. If sysadmin does not have (any) access to the client machine, client side encryption for the data could be enough. However any administrative access would most likely give more than enough options for a malicious sysadmin to find ways to gain access (stealing encryption keys from memory, key logger for capturing encryption password, etc.).

sebasth
  • 148
  • 6
  • Thanks for suggesting Kerberos + LDAP + NFS. However, this PDF (https://www.freeipa.org/images/0/0a/FOSDEM-Building-IDM.pdf) indicates that SSSD may be a better solution. Your thoughts? – MountainX Jan 30 '18 at 07:49
  • 1
    @MountainX ... SSSD is a daemon that runs on the client, where the server maybe Kerberos, LDAP, AD or something else. – muru Jan 30 '18 at 08:06
  • @sebasth several pages I've been reading indicate that setting up Kerberos (+ LDAP) + NFS(v4) can be quite complex. For example, http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA indicates that configuring secure NFS is challenging, especially when it requires setting up and administering a Kerberos realm. – MountainX Jan 30 '18 at 08:27
  • Also see https://serverfault.com/a/669338/68517 "Kerberos is the best option, but you probably don't want to set it up by hand." That answer recommends FreeIPA or AD (not an option) or Samba 4. Any thoughts on those? – MountainX Jan 30 '18 at 08:31
  • I haven't used [FreeIPA](https://en.wikipedia.org/wiki/FreeIPA) myself, but I believe it integrates both Kerberos (MIT) and LDAP (389) (and other software including SSSD). If you are already using RHEL based distribution it likely is the best way to proceed. Samba or/and NFS provide file sharing. With Samba you probably still want centralized user management and authentication, which would again likely lead back to LDAP and Kerberos. – sebasth Jan 30 '18 at 09:26