[OpenAFS] some basic infos about security

Douglas E. Engert deengert@anl.gov
Thu, 10 Apr 2003 09:48:42 -0500


Lo'oRiS il Kabukimono wrote:

> 
> What i want is not trusting *any* client, i.e. if somebody attaches a new
> pc in the net i do not trust it (and obviously IP is not a clever way of
> doing that ;)
> 

But That is what AFS gives you! You have to think more then client-server.
There are really three components, the user, the client and the AFS server.
The AFS server will only allow access from a client if the client can prove that 
that it is operating on behalf of the user. It uses Kerberos to do this. 

AFS is protecting the user's data, and will only allow access when the user
has requested it. The user can then pick the client machine he wants to use
to access his data.  

> Oh, i'd like an stronger authentication method like the AFS one, but since
> i need it to mount /home, i do not see how i could do that.

Many people (me include) have home directoris in AFS. So it is not clear what 
is the problem.

> 
> If i could share the user database (and passwords) between Linux and AFS
> itself... and have a login program that asks a single login and logs it in
> the system and also in AFS...
>

NO! You just gave the client machine (or the admin of the client machine) 
access to al the AFS files. i.e. the admin could then impersonate any user
as he has the passwords.    

PAM and Kerberos addresses these issues. 
 
> Am i the only one to need such a thing? Weird.

No. many file systems address this, including AFS, DFS, and NFSv4. 
They all have in common, that they are protecting the user's data,
and will give acces to it from a client that can prove that the 
client is acting on behalf of the user. 


> 
> --
> "Never give up  Never give in  Be on our side  So we can win
>  Never give up  Never give in  Be on our side
>  Old moon's time is soon to come"
>   - Blind Guardian, "And then there was silence"
> 
> http://lano.webhop.net ·-:=[asd]=:-· http://lano-forum.webhop.net
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444