[OpenAFS-devel] openafs - proposed cache security improvement
Todd M. Lewis
Todd_Lewis@unc.edu
Fri, 23 Mar 2007 09:54:24 -0400
What about old (which is to say, current) clients? Would a new server
which has these capabilities mask suid for files it serves to old
clients, or refuse to serve those files at all, or continue current
behavior and hope for the best?
Jim Rees wrote:
> Before looking at solutions I think it would be a good idea to look at the
> requirements. Here are the ones I can think of:
>
> 1. Client must have a secure connection to the server even for what are now
> unathenticated connections
>
> 2. Client must be able to authenticate the server
>
> 3. It would be nice if this could be done with Kerberos rather than making
> afs depend on something else, like openssl and a public key infrastructure
>
> 4. No special configuration required on the client
>
> I think we agree on 1, I'm not sure about 2 but I think it's obviously a
> good idea, and we disagree on 3. We agree on 4 but you give it a higher
> priority than I do. I'd like to hear other peoples' opinions.
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
--
+--------------------------------------------------------------+
/ Todd_Lewis@unc.edu 919-445-9302 http://www.unc.edu/~utoddl /
/ A gossip is someone with a great sense of rumor. /
+--------------------------------------------------------------+