NOV
22
2004

KDE::Enterprise: Policy Based Linux Desktop Environment

KDE::Enterprise is featuring
an interesting new article [pdf, 2Mb]
from Novell consultant Adrián Malaguti in which he explains step-by-step how to apply restrictive policies to a
Novell Linux Desktop 9 KDE desktop, manage Linux users from eDirectory, authenticate through LDAP and store user's data and profiles in a remote NFS server for centralized management. A must-read for anyone who wants to roll out KDE in their organisation.

Comments

novell is doing the nfs way the wrong way(tm)

sharing /home over nfs in read/write mode to the entire world is NOT cool

I hope novell considers investing in nfsv4 to help it reach a stable state.
nfsv4 has the ability to secure shares on a user basis using kerberos v5 gssapi

in this howto they use nfsv3 and this is insecure++
sure you can limit the ip ranges that will be allowed to use nfs
and put up some firewall rules and restrict things using
/etc/hosts.allow and /etc/hosts.deny

but these limitations wrongly asume that the intruder attacks from the outside.

ip based security is non existent.


By Mark Hannessen at Mon, 2004/11/22 - 6:00am

is AFS. Yes, AFS is a pain in the butt to set up, but once it works, it is really nifty and a lot less of a pain that NFS, especially when it comes to scaleablilty. Formerly being a product of IBM, it is still supported and has been open sourced in the meanwhile: http://openafs.org/success.html

I can use my uni's AFS tree via ADSL using Kerberos 5 authentication with SUSE 9.2.

Cheers,
Daniel


By Daniel Molkentin at Mon, 2004/11/22 - 6:00am

I'd have to 2nd the vote for AFS. Not finding what I want wrt security and NFS, I deployed AFS/KerbV within my organization. Aside from being fairly complex to learn and setup, and a bit slow I've found it to be everything I'd hoped for. I have all my users home dirs in AFS. In addition it file serving, it can do replication and snapshot volumes.

John


By John Koyle at Thu, 2004/11/25 - 6:00am

You mean you guys STILL don't have a stable NFSv4? If you need a good distributed filesystem for use with a KDE desktop environment, may I suggest FreeBSD/KDE?


By Brandybuck at Tue, 2004/11/23 - 6:00am

What's so great about NFSv4? More kludges on top of more kludges?


By ac at Tue, 2004/11/23 - 6:00am

AFAIK nfs4 is rewritten from scatch and has nothing in common with nfs3.


By Erik Hensema at Tue, 2004/11/23 - 6:00am

yeah, but it doesn't necessarily makes it better, only highly unstable at first because it does not have a mature codebase... what real advantages does it have over v3?


By c0p0n at Wed, 2004/11/24 - 6:00am

> may I suggest FreeBSD/KDE?

Sure, but get the threading working properly first ;)

As for other properly scalable distributed file systems for Linux i would recommend GFS or Lustre. Truly great products.


By anon at Tue, 2004/11/23 - 6:00am

> i would recommend GFS or Lustre. Truly great products.

But not standard. With NFSv4 you won't be tied down with a homogenous environment, but can deploy it on Linux, Solaris and BSDs. In real life this is very important.


By Brandybuck at Tue, 2004/11/23 - 6:00am

and....

windows.
NFSv4 was designed to have usable by windows clients.

haven't seen one yet...
but NFSv4 is a BIG filesystem, and fairly new..
so we might still see one in the future.


By Mark Hannessen at Tue, 2004/11/23 - 6:00am

Erhm. This is standard NFS deployment practice. Everywhere I've seen NFS deployed they do it this way.


By ac at Tue, 2004/11/23 - 6:00am

That doesn´t make it more secure than parachuting with an umbrella.


By Roberto Alsina at Tue, 2004/11/23 - 6:00am

infact, this is so insecure that one bootable floppy could retrieve and destroy ALL data owned by ALL users. (with the exeption of the root user and /root)

and you don't need a hackers tool to find it out, insecurity is a nfs3 feature.


By Mark Hannessen at Tue, 2004/11/23 - 6:00am

I suppose you could only allow NFS over a VPN overlaying your real network so that the floppy solution doesn't work. Then all you need is to crack the workstation using your physical access, *then* use a floppy.


By Roberto Alsina at Tue, 2004/11/23 - 6:00am

How does the workstation access the VPN? The key used must be something that cannot be accessed from the workstation by a user with a boot floppy, and in this sort of corporate environment, having IT go round with a boot key to machines whenever they get restarted is not an option (typically centralised IT, workstations all over the place, and cleaners don't always choose the right plug to unplug). I can't think of any way to hide data on the machine in such a way that the user cannot access it once booted off his floppy, without bringing a boot key round to each machine as and when they restart.


By Simon Farnsworth at Thu, 2004/11/25 - 6:00am

Encrypted filesystems which can only be accessed with the right token, plus MAC (ala SELinux) can get you somewhat closer.

It is a hairy as hell problem, though. And expensive.

The main thing is: how do you forbid the user from accessing the VPN keys:

You don't use keys, you use certificates.

How do you prevent the user from accessing the certificate? He has no permission to read them.

How do you forbid him from using a floppy to read it?
You encrypt the filesystem (at least part of it)

How do you read the encrypted part? With a key.

Erm... ok. Whatever.

But yeah, usually it means someone has to be available in every physical location with a magical token to boot the boxes. Banks do it all the time already.

That person doesn't need to be IT, he only has to be the manager. He is responsible for box not being booted off floppies and such.


By Roberto Alsina at Thu, 2004/11/25 - 6:00am

If you look at the screenshots in the pdf, you see what a mess NLD is. They have qt, java, gtk, ncurses, cli and web guis all over the place. I mean, even Corel did a better job than these guys.

If you check how meticulous apple and microsoft are with their guis you wonder what sense there is in NLD competing for the same user.

I dont mind some inconsistensies in kde coz its a volunteer effort from pipo who dedicate their precious time for this great desktop.

However, novell pays its pipo to write stuff thats useful and at least pleasing to the eye.

The concotion of edirectory with its console one, Yast, /etc text files is just unlearnable.

I tried to teach someone this stuff. Its like a collection of bastard apps from different permutations of parents of different species.


By mukuka at Wed, 2004/11/24 - 6:00am

The ideas presented are quite good in concept and addresses the main requirement of running it in an enterprise.

Its things like this will push KDE into enterprise and help remove the illusion of it being a technical solution.

Obviously the Server software can be replaced such as NFS Server in be easily dropped with another file sharing server such as AFS or Samba and eDirectory can be replace with OpenLDAP.


By Anonymous Spectator at Thu, 2004/11/25 - 6:00am