On Mon, 26 Mar 2007, Jeffrey Altman wrote: > Do you have AFS Servers running on the portables? In this solution it > is the server that is given a key, not the clients.
This is going to work backwards from most implementations? We create a unique key on the clients, and they use that to do a kerberos key style key exchange? but backwards because the client is considered trusted and the server isn't? Are we protecting against spoofed clients or spoofed servers? or just worried about eavesdropoping? > If the clients have a key, then they can just use Kerberos. If you use kerberos, it still isnt going to work with a detached network is it? I thought the hostkey was still verified by the kerberos server even though it is "trusted". And the users passwords still had to be trusted by the authentication server. How is this going to work on a client machine detached from the network? > If you are using Windows, you can encrypt your cache today. Just mark > the page file directory as encrypted. The SYSTEM account key will be > used to encrypt the file. Im not really worried about an encrypted filesystem persay that has been done for years and years with hundred of different algorithms. I am concerned about multi-user machines, and stolen laptops with sensitive data. You want users being able to use it detached from the network but yet securely acrossed all platforms. I don't know how to get around this one to be honest at some point the security model breaks without 2nd party (at least) verification. Even a key stored somewhere could be hacked by an admin user. I don't know maybe my ideal of secure, is too secure to be implemented... I was just trying to find a better way.. (and yes i do realize even security model breaks down at some point.) -------------------------------------- Sean O'Malley, Information Technologist Michigan State University ------------------------------------- _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
