[OpenAFS] Home directory in AFS
Charles Clancy
security@xauth.net
Mon, 22 Apr 2002 09:40:03 -0500 (CDT)
> Turbo> So just configure pam_mkhomedir to recognize a KerberosV
> Turbo> keytab, do the 'kinit', then the 'aklog' (both with propper
> Turbo> options) equivalences in C.
>
> Charles> For the 3rd or 4th time, this is a BAD IDEA.
>
> That's YOUR opinion. You have yet to PROVE and/or give a GOOD example/reason
> for why this is a bad idea.
I apologize for the tone of my last response. I'm just frustrated. It's
not just my opinion; I imagine that if you polled the readers of this
list, most would would agree. Maybe you could provide some more
information on your environment, so I could be convinced this was the only
approach possible?
> Charles> If you're
> Charles> going to put admin keytabs on all your workstations, just
> Charles> USE NFS. It would be MUCH more secure. Your trying to
> Charles> turn AFS into something it's not.
>
> Perhaps. I've always succeeded making software designed to do one thing,
> do the things _I_ want it to do. Usually by 'adding some random bits of
> code' :)
In my experience, one of the main benefits of AFS is its security, the
other being performance. You'd still be gaining in the performance area,
but in my opinion, relying on the security of ones workstations is not
acceptable. Most of the AFS clients I've managed were in public student
UNIX labs. If keytabs were present on all workstations, any half-way
intelligent student could just reboot the machine in single user mode, or
off the installation media, and grab the file. That may not be a concern
in your environment, however.
If you feel you can adequately protect that keytab file, then your method
would certainly work. I just want to make sure you realize the
implications of that keytab being compromised.
> Turbo> This is a bummer. Is it possible to only backup the ACL
> Turbo> information, without taking the data?
>
> Charles> Nope.
>
> I'm not convinced. Care to elaborate
Your method for obtaining the ACL information would work, but seems overly
complicated. Depending on your backup setup, you could "vos dump" your
volumes into files (did we convince you 1 volume per user was a good
idea?) and then backup those files using your normal backup system. In
that case, you'd save your ACL information.
> Charles> From everything you've said, I strongly suggest you stick
> Charles> with NFS. It would be more appropriate for your
> Charles> environment.
>
> I have. NFS gave me more problem than it was worth, I need something
> completely different. And I might even USE NFS in some areas, but
> I first going to explore the 'whole' (at least as much as I have
> to to understand it enough) AFS business.
Right -- and I of course know nothing about your environment, so perhaps
my statement wasn't very qualified.
I'll try to refrain from calling you names. :)
[ t charles clancy ]-[ tclancy@uiuc.edu ]-[ uiuc.edu/~tclancy ]