Hello Dave
On Sun, 2006-04-16 at 09:25 -0700, dave johnson wrote:
> I cannot see how anyone can recomend not using authentication on any network
> at any location. If you have a wireless access point on your "home"
> network, or have vpn access or port-forwarded access to any number of access
> mechanisms such as ssh, vnc, rdp, etc, or have children or other ignorant
> users, or quite simply "any users who are not unix admins", then running
> open authentication is certainly not "overkill" and suggesting doing so is
> foolish at best, and outright negligent at worst.
Sure having an authentication server always helps. It also helps to use
IPsec for network layer security or SSL for transport layer security
(which Openfiler supports for WebDAV and HTTPS). But there is a line
between security and convenience. There's a reason why public shares
exist, other than just for anonymous sharing for all. They provide
convenience without having to login and logout into shares. Nowadays,
filesystem client drivers have taken over this job caching credentials.
For a person who controls all access to their network, i.e., -the only
user-, public shares make perfect sense. That's why I said "personal
use". Even if a share is run in public mode, it can still be configured
to be accessible only from certain machines---Openfiler allows that.
A lot of things affect security on a public network. Even properly
configured file access protocols used in majority of installations today
suffer from lack of network layer security, which pretty much leaves the
rest of the security infrastructure insufficient and ineffective in many
network topologies. A person who runs a network with multiple clients
will have to make himself/herself aware of how to administer a network
correctly. A person who runs a open system wireless access point has far
more to worry about than just running a public share. It is also not the
job of the Openfiler project to tutor "any users who are not unix
admins" or any other users about network security. If they do not know
what a public/guest share implies for their network, they have bigger
problems. In fact, Chris Bussey did realise that public/guest shares
would be insufficient for his implementation in our phone conversation.
When it comes to using Openfiler for personal use with or without a
currently non-existing network directory service (which "any users who
are not unix admins" will find difficult to install and configure), I am
*not* going to suggest giving security a higher place over convenience
and freedom. People have different priorities and personal choices of
implementations and this is mine. It can certainly be upgraded to use
authentication once they have it functioning on their network.
I do not see why you have to write such a critical email over a simple
instruction which was clearly meant to be used for personal use with his
stated network configuration.
You can reply to this email to voice your concerns with my mail, but as
a discussion of a complex area such as network security is not really an
Openfiler subject, and as our personal opinions about security already
mis-match, I have said enough.
>
> struggling with getting LAM installed for 2 days now... but it is
> opensource, i really can't complain.
>
We named it as we used it to configure a few test boxes and it works
fine for us. Once you get used to it, you'll find managing users with it
easy.
> btw2, i assume that if i installed yum centos repos, none of my openfiler
> updates will work ? (new to yum). for now, i'm sticking with up2date for
> centos install mgmt, and yum to get the of patches.
>
You are required to use the Openfiler supplied repositories. Openfiler
is based on CentOS. It is not CentOS.
Mukund
_______________________________________________
Openfiler-users mailing list
[email protected]
https://lists.openfiler.com/mailman/listinfo/openfiler-users
