[AFS3-std] Re: rxgk token expiry
Matt W. Benjamin
matt@linuxbox.com
Wed, 31 Oct 2012 23:44:07 -0400 (EDT)
Yes, rxgk is strictly more powerful.
Matt
----- "Russ Allbery" <rra@stanford.edu> wrote:
> "Matt W. Benjamin" <matt@linuxbox.com> writes:
>
> > There is no special rxk5 callback problem, it's the same as with
> rxkad,
> > for traditional AFS-3. But with new RPCs as we did later with
> extended
> > callback information, the callback channel must be protected, to get
> an
> > equivalent level of security. We did some work towards adding an
> > anonymous, secure backchannel using the rxk5 framework, but there
> has
> > been no interest from the community in rxk5 essentially, and we
> stopped
> > work on it.
>
> Right: to be very clear, this is not a problem that rxk5 *introduces*,
> but
> rather a problem that rxkad has and that rxk5 doesn't *fix*, but rxgk
> does.
>
> I don't think rxk5 does combined tokens either, which means another
> similar class of problem is the ability of a local user to poison the
> AFS
> cache, possible with rxkad but stopped in rxgk by using combined
> tokens
> and a keyed cache manager.
>
> --
> Russ Allbery (rra@stanford.edu)
> <http://www.eyrie.org/~eagle/>
> _______________________________________________
> AFS3-standardization mailing list
> AFS3-standardization@openafs.org
> http://lists.openafs.org/mailman/listinfo/afs3-standardization
--
Matt Benjamin
The Linux Box
206 South Fifth Ave. Suite 150
Ann Arbor, MI 48104
http://linuxbox.com
tel. 734-761-4689
fax. 734-769-8938
cel. 734-216-5309