Coda File System

Coda service authentication

From: Alan Caulkins <fatman_at_maxint.net>
Date: Fri, 12 Feb 2010 14:31:25 -0600
Hello,

I'm considering switching to Coda as an alternative to my current AFS
cell, and I have a couple of questions about how Coda interacts with
certain services. Specifically, I'd like to know how service daemons
authenticate themselves with Coda over time. In AFS, if I want a
service to have access to directories (beyond the basic anyuser
non-authenticated access), I have to set up a service principal for
the service in Kerberos. That pricipal must then be authenticated with
a keytab file, followed by a call to aklog, at service
start-up. Authentication must also be repeated periodically as the
daemon runs, as the Kerberos ticket expires frequently. Finally, AFS
has a "process authentication group" (PAG), which is an AFS-specific
identification number in the kernel used to associate a tree of
processes with an AFS user. The way to issue a new PAG to a daemon
process is to execute the process with a specialized shell called
pagsh.

The "Coda In Action" section of the "Coda Distributed Filesystem"
paper located at http://www.coda.cs.cmu.edu/ljpaper/lj.html describes
FTP mirror sites and WWW replication servers that surely must have
authenticated service daemons, so it seems that this use case was
considered in the Coda design.

Here are my questions:

1. If I use Coda without Kerberos, how do I continuously authenticate
long-running daemons? (I have come to view Kerberos as a problem, so I'd like to live without it if possible.)

2. Where does Coda store user accounts?

3. Does Coda have something like a PAG, and if not, how does a process
tree share authentication?

4. Kerberos is intended for single-user workstations, and
multiple-user workstations have security problems associated with
their ticket stores in /tmp. Does Coda better deal with multiple
simultaneous users on a client or does it have these same problems?

5. I've seen statements on the Coda website about server machines that
are also clients not being recommended. There are also remarks about
this being an old problem that is no longer so significant. What is
the current status of this issue?

Sorry that these questions are so lengthy, and thank you in advance
for any information you can share.

-A

-- 
			Linux: The ultimate video game.
Received on 2010-02-12 16:03:51