[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Kerberos and Hesiod?



> Yup.  Project Athena uses hesiod to set the user id's, but that's on
> public workstations where the user id's don't really have much meaning
> anyway.  (i.e., user files aren't stored on public workstation, and the
> remote filesystems --- AFS and NFS --- are Kerberos authenticated)
> 
> Root is the easy case; you simply special case out root, just as you
> probably want to special case out root if you're using non-Kerberos
> authenticated NFS filesystem mounts.  The real killer is user's getting
> at other user's file.  

> This happens to not be a problem for public cluster workstations since
> only one user logs in at a time and (as I've mentioned already) users
> don't store user files on the public cluster machine.  
> 
> But yes, otherwise, using Hesiod for uid/gid information is a problem.

     I suppose I shouldn't be surprised.  After all, Hesiod *is* built on
top of DNS.  I knew there had to be a way to safeguard root, but it didn't
immediately occur to me that keeping users from impersonating each other
would be much harder.  (Hrrrm, anybody ever tried to Kerberize Hesiod?)
     Okay, Hesiod is right out, then.  I suppose, if nothing else, there
is always NIS.  Or maybe I should just write a secure system to do this
kind of stuff myself.  8)  Actually, would it be that hard, if you had
something like Kerberos around to help?      



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []