FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 08-30-2008, 01:16 PM
Bastian Blank
 
Default transfering files between *.debian.org hosts (was: people.debian.org to move to ravel)

On Sat, Aug 30, 2008 at 02:32:08PM +0200, Peter Palfrader wrote:
> - install sendfile/saft on all machines so you can do
> sendfile foo.tar.gz weasel@merkel
>
> The crypto stuff could be alleviated by using ipsec between all our
> servers. But that works even less well than you'd expect.

The machines needs to check DNSSEC or the names can be spoofed which
makes ipsec mood.

> - setup afs
>
> pros: + AFS is cool

Yeah. You can make read-only snapshots for backup purposes.

> + once we have a krb realm we could maybe also use it for other
> stuff like all those web services that require logins. How
> good is krb support in browsers these days?

Firefox supports it in a whitelist approach. However I never tested it.

> cons: - integrating krb and afs into ud-ldap is a lot of work
> - setting up afs will be a lot of work too
> - little prior experience with afs
> - AFS suffers from the not-a-filesystem syndrome: file access
> control is not unix-like and will confuse users.

Also other parts are not really POSIX-like. Hardlinks or so.

> - might cause problems with existing firewalls.

- The needed kernel module still uses rootkit-like behaviour.

> What other options did we forget?

- Setup Kerberos, allow it as an additional ssh login variant

+ Ticket forwarding

However, only the insecure options allow automatic operation, so lets
extend some options (yes, I think about the D-I images which are
located in people):

- Allow additional principals for automatic usage

This can be combined with AFS and SSH-Kerberos

Each user can create additional principals $USER/cron/$ID@$REALM, the
keys are put into a keyfile so that a script can create a ticket and
use that to do the operations.

AFS: Just needs proper ACLs for this principal.
SSH: Needs mapping in /etc/krb/krb5.conf or .k5login and there was
something else.

Bastian

--
Extreme feminine beauty is always disturbing.
-- Spock, "The Cloud Minders", stardate 5818.4


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-30-2008, 02:30 PM
"brian m. carlson"
 
Default transfering files between *.debian.org hosts (was: people.debian.org to move to ravel)

On Sat, Aug 30, 2008 at 03:16:01PM +0200, Bastian Blank wrote:

On Sat, Aug 30, 2008 at 02:32:08PM +0200, Peter Palfrader wrote:

+ once we have a krb realm we could maybe also use it for other
stuff like all those web services that require logins. How
good is krb support in browsers these days?


Firefox supports it in a whitelist approach. However I never tested it.


I use Kerberos authentication for my OpenID server, and it works
flawlessly with Iceweasel and mod_auth_kerb.

--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
 

Thread Tools




All times are GMT. The time now is 09:36 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org