[OpenAFS] Distributing passwd

Noel Burton-Krahn noel@bkbox.com
Wed, 11 Jun 2003 10:44:15 -0700 

We use OpenAFS, Kerberos and LDAP in a canned Linux server (www.bkbox.com)

There's a lot of moving parts, and it's a devil to set up the initial
system, but I think that combination is the best there is at the moment:

LDAP provides user account info (uid, gid, shell, home), but _not_
passwords.  A publicly-available password list a la NIS is insecure.

Kerberos provides passwords and authentication but not UNIX account
information

OpenAFS provides home directories, etc but you have to be careful your AFS
ID matches yout LDAP userid.

We've also configured Apache to maintain Kerberos and AFS tickets.  Now we
can let CGI scripts read user's mail directories without becoming root,
since the CGI script inherits the user's AFS permissions, and their mail
directory is in AFS.  It's so great to rely on the AFS file system for
access control rather than giving Apache root.  The same goes for shared
calendars, etc.


--Noel

----- Original Message -----
From: "Derek Atkins" <warlord@MIT.EDU>
To: "Stephen Joyce" <stephen@physics.unc.edu>
Cc: <openafs-info@openafs.org>
Sent: Wednesday, June 11, 2003 9:48 AM
Subject: Re: [OpenAFS] Distributing passwd


> Stephen Joyce <stephen@physics.unc.edu> writes:
>
> > It would be wise to think twice (or more!) before deploying NIS due to
> > security concerns.
>
> Ok, what security concerns?  The encrypted password isn't stored there
> (we use Kerberos) -- you can just put a '*' in there.  So, what
> particular concerns about NIS are you worried about?
>
> > Have you considered simply storing master copies of your passwd, group,
> > hosts files, etc in AFS and having each client regularly update its
local
> > copy from the master?
>
> Ok, how is this any more secure than NIS?  Your client isn't
authenticating
> or encrypting this traffic any more than NIS is.
>
> -derek
> --
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>