Coda File System

Re: Coda Built-In vs. Kerberos Authentication

From: <u+codalist-p4pg_at_chalmers.se>
Date: Tue, 20 Mar 2007 13:53:35 +0100
Hi Paulo,

On Tue, Mar 20, 2007 at 10:49:22AM +0000, Paulo Andre wrote:
> So I'm asking, what is the current state of authentication in Coda  
> these days?

1.
> Is the regular Coda clog-based authentication strong  
> enough or

2.
> should I be setting up Kerberos auth?

3,
> What's the current state of its support in Coda?

--

1: Yes, it is reasonably strong (about as strong as you can do with 64 bits
keys)

2: Kerberos may still be preferable for other reasons, e.g.

 sharing passwords with other systems like host login or something else

 using third-party tools for authentication record management (password
 changes, adding/deleting accounts)

 reusing existing user authentication databases (doesn't seem to apply
 in your case?)

3: Kerberos 5 protocol is fully supported, but there are hardwired
limitations on how a Kerberos realm must be setup to make it useful
for a certain Coda realm, which makes sharing the authentication data
somehow troublesome, especially across administration domains.

I'd suggest using the "experimental" modular clog.
It is fully functional and quite extensively tested,
but still did not replace the old code in the distribution.

In my personal biased opinion the default Kerberos support code is incomplete,
it relies on client-side configuration of clog/Kerberos.
In contrast, the modular uses a trivial service on the server
side so that the clients work with any realm having such a service,
talking to the corresponding Kerberos servers without any client-side
configuration.
Of course if a Coda realm does not announce its authentication setup,
(the modular) clog can always be configured / given explicit command line
options to do the right thing.

Regards,
Rune
Received on 2007-03-20 08:54:50