[OpenAFS] Tokens that do not expire

Charles Clancy security@xauth.net
Sat, 19 Oct 2002 10:12:42 -0500 (CDT)


> > Or for that matter, why not just use an IP ACL.  Similar level of security
> > to a hardcoded password (assuming hacked machine == stolen IP), but no
> > tokens to worry about.
>
> The level of security provided by IP ACLs is far less than that provided
> by any sort of ticket, expiring or not.  (Especially if you do 'fs setcrypt
> on', you're in much better shape with a token than with an IP ACL.)

My assumptions included things such as subnet isolation, security of the
other hosts on the subnet, reasonably well configured routers, etc.
Provided the level of difficulty of hacking the machine and hijacking its
IP are similar, and the link between the host and the AFS servers is
"trusted", I think the danger is minimal.

In a properly configured environment with well maintained systems, I'm not
saying IP ACLs are better or even as good as token-based authorization --
just that both are signifcantly below my threshold of security concern,
making IP ACLs more attractive as far as managability.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]