Coda File System

RE: $Home in coda

From: Peter J. Braam <braam_at_cs.cmu.edu>
Date: Sat, 24 Jul 1999 20:59:35 -0600
Hi,

To a certain extent such problems could go away with Kerberos.  Kerberos
allows token acquisition with an indicator that the tokens may be forwarded.
Telnet uses this for example to forward kerberos tokens from the client to
the server machines (ktelnet that is, the kerberized version).

The problem is that NFS on the client certainly doesn't have the capability
to do this, unless one looks at NFS version 4 maybe.  Similarly the NFS
server would need some changes for this.  It would require changes to both
clients (where some of the security model in the kernel would have to
change) as well as to servers.  It wouldn't surprise me if Windows SMB
redirector found in Windows 2000 does have such capabilities, but I'm not
sure.

For AFS/NFS there is a kerberized NFS server which does token forwarding to
the AFS client on the same system, but I think one still has to log in to
the NFS server to get such tokens (perhaps with the kerberized NFS client,
this would go away; it's dead slow though).

- Peter -



> -----Original Message-----
> From: Pete Gonzalez [mailto:gonz_at_ratloop.com]
> Sent: Saturday, July 24, 1999 8:26 PM
> To: Bill Gribble
> Cc: codalist_at_TELEMANN.CODA.CS.CMU.EDU
> Subject: Re: $Home in coda
>
>
> >A cron script is run to assign tokens:
> >
> >for u in `ls /usr/local/lib/coda-auth`
> >do
> >    echo "Setting token for " $u;
> >    fn=`echo "/usr/local/lib/coda-auth/$u" | sed -e 's/ //g'`
> >    su -c "clog $u < $fn" - $u;
> >done
>
> This whole cron-job-that-acquires-tokens system seems to be
> pointing to a fundamental problem with the integration between
> CODA's security model and the regular Unix security model.
> IMO authentication and file systems are totally independent
> components of an operating system; CODA's ad hoc security model
> appears to exist only as a kludge to overcome limitations of
> the standard Unix /etc/passwd system.
>
> Is there an existing standard Unix/Linux security model that
> would be easier to integrate with CODA?  For example, do these
> problems go away when Kerberos is being used for authentication?
>
> Pete Gonzalez
>
>
Received on 1999-07-24 22:58:03