From owner-freebsd-security@FreeBSD.ORG  Thu Sep 25 09:37:37 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2118016A4B3
	for <freebsd-security@freebsd.org>;
	Thu, 25 Sep 2003 09:37:37 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2DDF844001
	for <freebsd-security@freebsd.org>;
	Thu, 25 Sep 2003 09:37:36 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h8PGbEgL051052;
	Thu, 25 Sep 2003 12:37:14 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)h8PGbDfb051049;
	Thu, 25 Sep 2003 12:37:14 -0400 (EDT)
Date: Thu, 25 Sep 2003 12:37:13 -0400 (EDT)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: "David G. Andersen" <danderse@cs.utah.edu>
In-Reply-To: <20030925100650.B80664@cs.utah.edu>
Message-ID: <Pine.NEB.3.96L.1030925123616.50146N-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-security@freebsd.org
Subject: Re: unified authentication
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Sep 2003 16:37:37 -0000

On Thu, 25 Sep 2003, David G. Andersen wrote:

> > The Arla client used to work quite well, and probably still works quite
> > well on 4.x. I'm not sure of the status of Arla on 5.x.  It sounded like
> > Tom Maher had the OpenAFS server code up and running on FreeBSD, so you
> > should at least have access to a pair of AFS client/server that work.
> 
>   If the client machines are semi-trusted, SFS is a good solution.
> I don't know that its authentication is integrated with kerberos,
> but the security model is at least stronger than NFS:  Root on a
> client machine could gain access to users accounts if they accessed
> them from that machine, but not to accounts that merely were OK
> to export to that machine.
> 
>   http://www.fs.net/

And one of the very nice things about the SFS implementation is that it
plugs into loop-back NFS on the client, so you don't need special kernel
changes, which is what has made the OpenAFS and Arla stuff so difficult.
On the other hand, there's presumably the expected observable performance
difference...

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories