On Sat, Aug 30, 2008 at 02:32:08PM +0200, Peter Palfrader wrote: > - install sendfile/saft on all machines so you can do > sendfile foo.tar.gz [EMAIL PROTECTED] > > The crypto stuff could be alleviated by using ipsec between all our > servers. But that works even less well than you'd expect.
The machines needs to check DNSSEC or the names can be spoofed which makes ipsec mood. > - setup afs > > pros: + AFS is cool Yeah. You can make read-only snapshots for backup purposes. > + once we have a krb realm we could maybe also use it for other > stuff like all those web services that require logins. How > good is krb support in browsers these days? Firefox supports it in a whitelist approach. However I never tested it. > cons: - integrating krb and afs into ud-ldap is a lot of work > - setting up afs will be a lot of work too > - little prior experience with afs > - AFS suffers from the not-a-filesystem syndrome: file access > control is not unix-like and will confuse users. Also other parts are not really POSIX-like. Hardlinks or so. > - might cause problems with existing firewalls. - The needed kernel module still uses rootkit-like behaviour. > What other options did we forget? - Setup Kerberos, allow it as an additional ssh login variant + Ticket forwarding However, only the insecure options allow automatic operation, so lets extend some options (yes, I think about the D-I images which are located in people): - Allow additional principals for automatic usage This can be combined with AFS and SSH-Kerberos Each user can create additional principals $USER/cron/[EMAIL PROTECTED], the keys are put into a keyfile so that a script can create a ticket and use that to do the operations. AFS: Just needs proper ACLs for this principal. SSH: Needs mapping in /etc/krb/krb5.conf or .k5login and there was something else. Bastian -- Extreme feminine beauty is always disturbing. -- Spock, "The Cloud Minders", stardate 5818.4 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]