On Sat, Aug 30, 2008 at 02:32:08PM +0200, Peter Palfrader wrote: > - setup afs > > Using AFS would allow us to use a shared /afs/debian.org tree on all > our systems. AFS does all the magic crypto stuff so you don't have to > worry about Eve sniffing or Mallory tampering with packets. > > Setting up AFS is a big chunk of work. It would require us first to > setup a kerberos realm, to integrate it into ud-ldap so that new krb > principals are created with ud-ldap users, and that ud-ldap users can > set krb passwords, which probably should be different from their ldap > password. > > On the user side once logged in you'd have to get a kerberos ticket > using your krb password, then alog to get access to your > /afs/debian.org/transfer/$user or whatever. > > We will not put homedirs onto AFS (that would completely torpedo the > initial goal), it would simply provide a transfer area. > > pros: + AFS is cool
That's never been a very good reason, IMO. But, hey, I won't deny it, either ;-) > + once we have a krb realm we could maybe also use it for other > stuff like all those web services that require logins. How > good is krb support in browsers these days? Pretty good. Konqueror supports it out of the box, iceweasel only requires you to edit the 'network.negotiate-auth.trusted-uris' about:config variable, and then it works well, too. Dunno about other browsers. (for some infathomable reason, the firefox developers consider Negotiate authentication to be unsafe with untrusted and/or non-SSL hosts. Dunno why that is, and never saw a compelling argument...) -- <Lo-lan-do> Home is where you have to wash the dishes. -- #debian-devel, Freenode, 2004-09-22 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]