[OpenAFS] Re: Cron Jobs for "Regular" Users

[Andrew Deason]

On Fri, 29 Jan 2010 17:52:45 +0100
Anders Magnusson <ragge@ltu.se> wrote:

> Andrew Deason wrote:
> > could protect the directory where the keytabs are under an IP ACL,
> > but IP ACLs don't always work so well, and you'd open up access to
> > anyone 
>
> When do IP ACLs not work so well?

Well, they are a bit confusing compared to normal entries. Some changes
can take up to 2 hours to take effect, and you need to put IP ptdb
entries in groups before putting them in ACLs, neither of which I find
intuitive.

They also depend on accurate tracking of what IPs a client has. The
fileserver client host tracking code in general has had a history of
problems. Though improvements have been made, trying to track what IPs
clients are coming from is just a difficult problem, and in my
experience may not be as reliable as other security mechanisms.

And since it relies on where a packet is coming from... obviously it's
going to be less secure if someone can successfully impersonate another
IP.

To answer the question of 'when', though, the most likely time for them
screwing up I think would be when you have multihomed and/or
quickly-moving clients. At least, that's where the host-tracking issues
have been recently, if I recall correctly.

-- 
Andrew Deason
adeason@sinenomine.net