unified authentication
Robert Watson
rwatson at freebsd.org
Thu Sep 25 09:37:37 PDT 2003
On Thu, 25 Sep 2003, David G. Andersen wrote:
> > The Arla client used to work quite well, and probably still works quite
> > well on 4.x. I'm not sure of the status of Arla on 5.x. It sounded like
> > Tom Maher had the OpenAFS server code up and running on FreeBSD, so you
> > should at least have access to a pair of AFS client/server that work.
>
> If the client machines are semi-trusted, SFS is a good solution.
> I don't know that its authentication is integrated with kerberos,
> but the security model is at least stronger than NFS: Root on a
> client machine could gain access to users accounts if they accessed
> them from that machine, but not to accounts that merely were OK
> to export to that machine.
>
> http://www.fs.net/
And one of the very nice things about the SFS implementation is that it
plugs into loop-back NFS on the client, so you don't need special kernel
changes, which is what has made the OpenAFS and Arla stuff so difficult.
On the other hand, there's presumably the expected observable performance
difference...
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Network Associates Laboratories
More information about the freebsd-security
mailing list