[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: transfering files between *.debian.org hosts (was: people.debian.org to move to ravel)

On Sat, Aug 30, 2008 at 02:32:08PM +0200, Peter Palfrader wrote:
> - install sendfile/saft on all machines so you can do
>     sendfile foo.tar.gz weasel@merkel
>   The crypto stuff could be alleviated by using ipsec between all our
>   servers.  But that works even less well than you'd expect.

The machines needs to check DNSSEC or the names can be spoofed which
makes ipsec mood.

> - setup afs
>   pros: + AFS is cool

Yeah. You can make read-only snapshots for backup purposes.

>         + once we have a krb realm we could maybe also use it for other
>           stuff like all those web services that require logins.  How
>           good is krb support in browsers these days?

Firefox supports it in a whitelist approach. However I never tested it.

>   cons: - integrating krb and afs into ud-ldap is a lot of work
>         - setting up afs will be a lot of work too
>         - little prior experience with afs
>         - AFS suffers from the not-a-filesystem syndrome: file access
>           control is not unix-like and will confuse users.

Also other parts are not really POSIX-like. Hardlinks or so.

>         - might cause problems with existing firewalls.

          - The needed kernel module still uses rootkit-like behaviour.

> What other options did we forget?

- Setup Kerberos, allow it as an additional ssh login variant

  + Ticket forwarding

However, only the insecure options allow automatic operation, so lets
extend some options (yes, I think about the D-I images which are
located in people):

- Allow additional principals for automatic usage

  This can be combined with AFS and SSH-Kerberos

  Each user can create additional principals $USER/cron/$ID@$REALM, the
  keys are put into a keyfile so that a script can create a ticket and
  use that to do the operations.

  AFS: Just needs proper ACLs for this principal.
  SSH: Needs mapping in /etc/krb/krb5.conf or .k5login and there was
  something else.


Extreme feminine beauty is always disturbing.
		-- Spock, "The Cloud Minders", stardate 5818.4

Reply to: