[OpenAFS] with or without krb5 and openldap?

Russ Allbery rra@stanford.edu
Sat, 02 Aug 2003 11:17:35 -0700


Derek Atkins <warlord@MIT.EDU> writes:

> Yes, you could perform UID spoofing, but you can do that with _ANY_
> distributed passwd entry.  The point is that "local UID" means nothing
> -- the only thing that matters (at least on the network) is your
> kerberos identity.

While this is certainly true so far as it goes, as long as you're not
putting /tmp into AFS, you do need to care about the UID.  And while you
may be capable of setting up DNSSEC, I can assure you that most sysadmins
will find it far easier to set up secure LDAP than secure DNS,
particularly given the available tools and packages already out there.

(NIS loses completely in this area; NIS has no effective security, and
NIS+ basically doesn't work.)

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>