[OpenAFS] AFS && Apache

Russ Allbery rra@stanford.edu
Wed, 15 May 2002 01:00:14 -0700

Tino Schwarze <tino.schwarze@informatik.tu-chemnitz.de> writes:

> Maybe it would suffice for your purpose to use a IP-based ACL? This is
> easier than messing with tokens (which expire after some time and
> therefore need to be reacquired). I also consider it to be equally
> secure provided that there are no other services running on the web
> server which can be used to retrieve files.

Well, it means that someone who can spoof IP addresses can break the
security model, which is a bit weaker than AFS normally is.

> IP-based ACL works as follows:
> - create a PTS user named like the IP, e.g.
>   pts createuser
> - add this IP to a PTS group - this is the only way to use it.
> - wait up to 4 hours for the file server to notice the change

I have to say that I've in the past found IP ACLs to be a bit odd.
Sometimes they don't seem to work very well, even after four hours.
Sometimes I've even seen them suddenly stop working (even after four
hours) if you have to change the IP address of the system and therefore
rename or delete and recreate the PTS entry.

We've had good luck with network-based ACLs for site-licensed stuff and
the like, but for individual machines we're switching away from ever using
IP-based ACLs to always using something based on a real Kerberos identity
and using kinit with a keytab, kstart (a locally written program that does
the same thing for Kerberos v4 and can also run as a daemon and renew
authentication), or ksrvtgt, with a shell script wrapper.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>