Hello!

I am thinking about server spoofing (an issue becoming more visible with
coming multi-realm architecture).

With authenticated access it is possible (unsure how much of it is
really done?) to check that the fileserver is who it pretends to be, as
authserver could prove that it knows the user password.

For anonymous access a client should know something about a server except
its ip number.

The DFS approach is to create a host account per client, thus always
having some shared secret to be able to check against. Not a convenient
solution (been there) as it implies administration per client host.
What we want is administration per user, who then would be able to
use any client, or setup and use a new client, without being a realm
administrator.

Otherwise it is rather insecure to put say software on Coda as clients
using this software are subject to server ip spoofing.

Well, it is not a big problem inside one realm with all of the computers
centrally administered. The users become authenticated against it anyway
at login time (and my client hosts *have* kerberos accounts so the
authentication chain is present).

It becomes hard while serving clients that I cannot maintain
accounts/shared secrets for. Nevertheless they need to know that my server
is not spoofed!

One approach I would think about is usage of public keys, either in a
per-client file with a list of known realms, or (probably hard to
administer) a certificate tree...

What plans or ideas exist to be able to solve this issue?

Best regards and thanks, Coda is great!
--
Ivan