[OpenAFS-devel] openafs - proposed cache security improvement

Ken Hornstein kenh@cmf.nrl.navy.mil
Fri, 23 Mar 2007 10:24:45 -0400


>So, you're going to issue client credentials to all of your AFS clients?
>
>A valiant attempt, but I see practicality and management issues. ;)

For hosts I manage (e.g., the ones I really do care about priv
escalation issues) they already have an installed Kerberos keytab.
Some significant work would have to be done to make this usable by the
AFS client, but I don't see anything inherently insurmountable.  I'm
not saying a "trust the first connect" fallback isn't worthwhile, but
if you've already drank the Kerberos Kool-Aide one of the hard pieces
(the key distribution & management piece) is already done.

--Ken