(Paul Blackburn) wrote:
>
> Dave Drew <[EMAIL PROTECTED]> apparently wrote
>
> [...question about afs to "nis" conversion...]
> Excuse me but... since when was NIS a file system? I guess you mean NFS?
>
> If you really intend to do this, then you better hope none of your users
> is capable of:
> a) running "ypcat passwd" to display encrypted passwords
> b) using the public domain "crack" program to guess passwords
> from word dictionaries.
>
> Ok, you want a serious answer... you don't tell us what AFS dependencies
> you have. First, make a plan of action and get it reviewed as widely
> as possible. Make sure your networks have enough bandwidth to cope
> with the extra network traffic from NFS. Gently, break the news to
> your users that they will no longer have on on-line backup of their
> $HOME and that they can forget about security through ACLs.
Well, AFS has significant advantages over NFS, but you seem to be
comparing it with NFS of a decade ago. Allow me to inject some
current data.
First, SunOS has had the ability to hide the encrypted passwords
from ordinary users since at least 4.1.2. Under 4.1.x (with C2
security enabled) and 5.x, ypcat will not show encrypted passwords
unless you're root. Thus, crack is of little use to ordinary users.
(For things other than SunOS, you're on your own.)
Recent versions of Solaris have the cache filesystem, which has
the same effect as the AFS cache on network traffic.
Users generally have no idea what "on-line backup" means. Any
modern backup system will know how to deal with a live filesystem
anyway, so this really isn't an issue.
Solaris 2.5 and later have access control lists. Although Solaris
has kerberos, you apparently have to go out of your way to use it
for anything. So the ACL's are only based on the native C2-level
security.
It does seem odd that a site would go to the effort to back out of
an AFS installation after expending the effort to set it up in the
first place. Perhaps the complexity of keeping an AFS cell running
is too much and they're looking for something simpler? The NFS
automounter is certainly simpler than AFS, but it's not nearly as
elegant.
> Hmm...does this sound biased?
Yeah, but at least you're not biased in favor of something evil
like NT. :-)
Cheers!
Paul Allen
--
Paul L. Allen | voice: (206) 865-3297 fax: (206) 865-2964
Unix Technical Support | [EMAIL PROTECTED]
Boeing ISS Research & Technology, POB 3707 M/S 7L-68, Seattle, WA
98124-2207
