Coda File System

Re: Coda Built-In vs. Kerberos Authentication

From: Paulo Andre <prla_at_netcabo.pt>
Date: Tue, 20 Mar 2007 13:48:12 +0000
Hi Rune,

Thanks so much for addressing all my questions.

Here's a couple further remarks.

On Mar 20, 2007, at 12:53 PM, u+codalist-p4pg_at_chalmers.se wrote:
>
> 1: Yes, it is reasonably strong (about as strong as you can do with  
> 64 bits
> keys)
>
> 2: Kerberos may still be preferable for other reasons, e.g.
>
>  sharing passwords with other systems like host login or something  
> else
>
>  using third-party tools for authentication record management  
> (password
>  changes, adding/deleting accounts)
>
>  reusing existing user authentication databases (doesn't seem to apply
>  in your case?)

I'm interested in users - which authenticate via an external LDAP  
server on their workstations - having their homes mounted upon login  
on the /coda filesystem. Does this mean this will only work with a  
Kerberos-based authentication in Coda? From what you see, it appears  
to be the case, though taking into account clog uses 64-bit  
encryption, that'd be enough for me and I rather avoid setting up  
Kerberos for now.

On a side note, I found a pam_coda module somewhere on the web,  
written by Robin Gareus back in early 2000. What is the preferred way  
nowadays to have such a setup going?

> 3: Kerberos 5 protocol is fully supported, but there are hardwired
> limitations on how a Kerberos realm must be setup to make it useful
> for a certain Coda realm, which makes sharing the authentication data
> somehow troublesome, especially across administration domains.
>
> I'd suggest using the "experimental" modular clog.
> It is fully functional and quite extensively tested,
> but still did not replace the old code in the distribution.

Hmm, how do I go about giving it a spin? I've been simply using the  
Debian packages on the CMU Coda repository...

> In my personal biased opinion the default Kerberos support code is  
> incomplete,
> it relies on client-side configuration of clog/Kerberos.
> In contrast, the modular uses a trivial service on the server
> side so that the clients work with any realm having such a service,
> talking to the corresponding Kerberos servers without any client-side
> configuration.
> Of course if a Coda realm does not announce its authentication setup,
> (the modular) clog can always be configured / given explicit  
> command line
> options to do the right thing.
>
> Regards,
> Rune

Cheers,

		Paulo
Received on 2007-03-20 09:49:38