>So, you're going to issue client credentials to all of your AFS clients? > >A valiant attempt, but I see practicality and management issues. ;)
For hosts I manage (e.g., the ones I really do care about priv escalation issues) they already have an installed Kerberos keytab. Some significant work would have to be done to make this usable by the AFS client, but I don't see anything inherently insurmountable. I'm not saying a "trust the first connect" fallback isn't worthwhile, but if you've already drank the Kerberos Kool-Aide one of the hard pieces (the key distribution & management piece) is already done. --Ken _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
