[OpenAFS] some basic infos about security

Douglas E. Engert deengert@anl.gov
Thu, 10 Apr 2003 15:41:36 -0500 

Lo'oRiS il Kabukimono wrote:
> 
> "Douglas E. Engert" <deengert@anl.gov> :
> 
> > Many people (me include) have home directoris in AFS. So it is not clear
> > what is the problem.
> 
> the problem is that i didn't understand what kerberos and pam do :)

http://www.google.com then search for kerberos 
http://web.mit.edu/kerberos/www/ is the first hit.

a google search on pam gives http://www.kernel.org/pub/linux/libs/pam/
a reasonable place to start.

> 
> now i suppose that they:
> 
>  · require users to login one, at the login prompt, and don't bother them
> with other requests such as an AFS separate login

Yes.

>  · mantain the same user database between Linux itself and AFS

In the unix world, the /etc/passwd does identification, authenticaiton (has a password),
autheoization (because an entry exists, and the shell will run) and some data
base (has home directory location).

Thee are split up in the Kerberos/AFS world. 


>  · if i create a new user take care of updating ACL for his home directory
> 
> correct?

Kerberos does authenticaiton. The ACLs are for authorization.  

> 
> if "yes", then could you address me to a good document
> (howto/tutorial/whatever) to have AFS+kerberos+pam running?
> 
> thx :)
> 
> PS: i'll stick to ACL, but i'd like to have enough time to create a program
> to automatically update ACLs when somebody chmods or chowns
>

chmod, and chown are unix concepts where UID and GID numbers are kept
with a file along with access bits for owner, group and world.  ACLs usually 
go further, allowing multiple groups, and multiple users to have differnet rights.  

 
> PS: i suppose there is no GPL implementation of it? i dislike "kernel
> tainted" :/
> 
> --
> "Never give up  Never give in  Be on our side  So we can win
>  Never give up  Never give in  Be on our side
>  Old moon's time is soon to come"
>   - Blind Guardian, "And then there was silence"
> 
> http://lano.webhop.net ·-:=[asd]=:-· http://lano-forum.webhop.net
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444