[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A few questions about implementing a KDC for OpenAFS
- To: Harald Barth <haba@pdc.kth.se>
- Subject: Re: A few questions about implementing a KDC for OpenAFS
- From: Madhusudan Singh <singh.madhusudan@gmail.com>
- Date: Fri, 27 May 2005 14:20:08 -0400
- Cc: heimdal-discuss@sics.se
- DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id; b=ev+/MvrXQlEbsmLpr50jWFu7pubnJfgtaCNz3Ptq7+Fm/ev8aU5AfE/z7KYElue1NueVBfup7hoHFYz3mtjApZiUAtdzmg1cndQVORoGwwjb56cqB3J0Q+UWuNf+gHjJbMHrY5QNsX2yNLhll1xAPP5RqMJimd6aFQk4nFa7ceE=
- In-Reply-To: <20050526.103406.132710761.haba@pdc.kth.se>
- References: <200505252137.33601.singh.madhusudan@gmail.com> <20050526.103406.132710761.haba@pdc.kth.se>
- Sender: owner-heimdal-discuss@sics.se
- User-Agent: KMail/1.7.2
Thanks for your response.
On Thursday 26 May 2005 04:34, Harald Barth wrote:
> > 1. Which is the better choice from the point of view of a Kerberos
> > authentication mechanism that fully integrates with OpenAFS (I will be
> > using Debian Sarge) - MIT or Heimdal ?
>
> I don't know how good or bad the stuff in the packages is. My impression
> is that heimdal has some convinient functions - one that I remember is
> that it lets you generate AFS-keyfiles.
>
Ok. Having precompiled packages is not a must for me. I can compile stuff.
> > 2. The group I administer servers for is a part of a much larger
> > organization which has its own realm and AFS setup. However, I want only
> > a subset of that organization (viz. my own group) to be authenticated for
> > access to our fileservers (which have FQDNs and are visible on the
> > Internet, running Slackware 10.1). Is it possible for me to get away
> > without implementing a KDC at all and just pass on the authentication
> > requests to the organization's KDC after ensuring that they belong to a
> > restricted subset of the users at my end ?
>
> You can use their KDC and use your own AFS cell in their realm.
>
> > 3. Let us assume that the answer to 2 above is no. In that case, is it
> > possible for me to hide the KDC completely from the Internet ( with class
> > C addresses) ?
>
> Why? The KDC is one of the more safe applications.
This is a little confusing. I posed a question on the postfix users list and
inquired if it would be possible to use GSSAPI to authenticate against the
KDC for my local subrealm. They suggested that exposing the KDC to the
internet with a FQDN is never a good idea.
So, that leaves a class C address behind a proper firewall, doesn't it ?
>
> > Let us assume the following topology :
> > (...)
>
> I think you make things unneccessary complicated. If you trust your
> head organization not to break in willingly (because the AFS master
> key is of course in the KDC), you can set up your own AFS cell with
> your users only. Or you can use your own KDC, exchange trust with
> the other KDC and then let your users decide whom to trust (for
> example their alter ego in the other realm).
Maybe I did not explain this thoroughly. I intend to have a subrealm (say
kdchost.domain.edu where domain.edu already has its own AFS realm -
kdcsuper.domain.edu.
>
> I do not understand what you want to win by using a black net.
Some security. Maybe I am now more confused (hopefully better informed) than
before !