On Fri, 29 Jan 2010 17:52:45 +0100 Anders Magnusson <[email protected]> wrote:
> Andrew Deason wrote: > > could protect the directory where the keytabs are under an IP ACL, > > but IP ACLs don't always work so well, and you'd open up access to > > anyone > > When do IP ACLs not work so well? Well, they are a bit confusing compared to normal entries. Some changes can take up to 2 hours to take effect, and you need to put IP ptdb entries in groups before putting them in ACLs, neither of which I find intuitive. They also depend on accurate tracking of what IPs a client has. The fileserver client host tracking code in general has had a history of problems. Though improvements have been made, trying to track what IPs clients are coming from is just a difficult problem, and in my experience may not be as reliable as other security mechanisms. And since it relies on where a packet is coming from... obviously it's going to be less secure if someone can successfully impersonate another IP. To answer the question of 'when', though, the most likely time for them screwing up I think would be when you have multihomed and/or quickly-moving clients. At least, that's where the host-tracking issues have been recently, if I recall correctly. -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
