[OpenAFS] Delivering confidential information in AFS via Apache

Charles Karney ckarney@sarnoff.com
Fri, 3 Aug 2001 16:13:34 -0400 (EDT)


 > From: seph <seph@commerceflow.com>
 > Date: 31 Jul 2001 14:12:44 -0700
 > 
 > > My question is, how do I run apache, so that it is always authenticated. (I
 > > really don't want system:anyuser to have readaccess to our webservers' (yep,
 > > more of them) files ... not to speak of write-access :)
 > 
 > I would use an ip acl for this. that way the webservers don't have to
 > deal with getting tokens. something like:
 > 
 > pts createuser <ip of webserver 1>
 > pts createuser <ip of webserver 2>
 > pts creategroup web-servers
 > pts adduser web-servers <ip of webserver 1>
 > pts adduser web-servers <ip of webserver 2>

This is almost certainly the right advice in this context.  (Of course, the
web server should NOT be a machine which allows ordinary user access.)

However, I would also like to point out for the general info-afs audience
another option which in some cases is the right thing to do.

IF the situation is that you have CONFIDENTAL information in AFS that you
want the web server to delivery securely to a web client, then you can
configure the server to run with NO AFS credentials and to prompt for an
AFS username and password when pages in AFS are accessed; the server then
uses the resulting token to access the page.

This requires SSL (so that the password and data exchange are private) and
the AFSWEB package in the OpenAFS source tree.  This isn't built by
default, but I've recently got it going with

    OpenAFS 1.1.1
    Apache 1.3.20
    Mod_SSL 2.8.4-1.3.20

This allows you to have fine-grained control on who can access what (via
ACLs); it also means you don't have to duplicate a security setup for the
web if you've already got AFS set up at your site with the right access
controls.

I've got some scrappy patches/notes on how to set this up.  If there's
interest I can post this.

My ulterior motive is to see the AFSWEB component of OpenAFS promoted to
first-class status in the OpenAFS world.  Currently it's an orphan,
following IBM's termination of support of it.

The Transarc/IBM product was called WebSecure.  There used to be
documentation for this product on the web, but I can't find it any more.  I
still have copies of this documentation and it's reasonably good.  It would
be good to encourage IBM to allow this documentation to be posted once
more.

-- 
Charles Karney			Email:	ckarney@sarnoff.com
Sarnoff Corporation		Phone:	+1 609 734 2312
Princeton, NJ 08543-5300	Fax:	+1 609 734 2586