(Illustration by Gaich Muramatsu)
Hi, To a certain extent such problems could go away with Kerberos. Kerberos allows token acquisition with an indicator that the tokens may be forwarded. Telnet uses this for example to forward kerberos tokens from the client to the server machines (ktelnet that is, the kerberized version). The problem is that NFS on the client certainly doesn't have the capability to do this, unless one looks at NFS version 4 maybe. Similarly the NFS server would need some changes for this. It would require changes to both clients (where some of the security model in the kernel would have to change) as well as to servers. It wouldn't surprise me if Windows SMB redirector found in Windows 2000 does have such capabilities, but I'm not sure. For AFS/NFS there is a kerberized NFS server which does token forwarding to the AFS client on the same system, but I think one still has to log in to the NFS server to get such tokens (perhaps with the kerberized NFS client, this would go away; it's dead slow though). - Peter - > -----Original Message----- > From: Pete Gonzalez [mailto:gonz_at_ratloop.com] > Sent: Saturday, July 24, 1999 8:26 PM > To: Bill Gribble > Cc: codalist_at_TELEMANN.CODA.CS.CMU.EDU > Subject: Re: $Home in coda > > > >A cron script is run to assign tokens: > > > >for u in `ls /usr/local/lib/coda-auth` > >do > > echo "Setting token for " $u; > > fn=`echo "/usr/local/lib/coda-auth/$u" | sed -e 's/ //g'` > > su -c "clog $u < $fn" - $u; > >done > > This whole cron-job-that-acquires-tokens system seems to be > pointing to a fundamental problem with the integration between > CODA's security model and the regular Unix security model. > IMO authentication and file systems are totally independent > components of an operating system; CODA's ad hoc security model > appears to exist only as a kludge to overcome limitations of > the standard Unix /etc/passwd system. > > Is there an existing standard Unix/Linux security model that > would be easier to integrate with CODA? For example, do these > problems go away when Kerberos is being used for authentication? > > Pete Gonzalez > >Received on 1999-07-24 22:58:03