Subject: Re: NFS and privileged ports
To: Jonathan Stone <jonathan@dsg.stanford.edu>
From: Douglas Wade Needham <cinnion@ka8zrt.com>
List: tech-net
Date: 11/09/2004 08:32:26
	version=3.0.0
Sender: tech-net-owner@NetBSD.org

To continue the "devil's advocate" stance.  How would this work with
diskless workstations?  Sure, you can build up a kernel with a ramdisk
for each machine, but do you want to do that for dozens or hundreds of
machines??  Of course, there still remains the question of how are you
going to get those keys to the clients securely?

Of course, I seem to remember reading someplace these past few months
that some college/university was looking at PC's as diskless xterms
with a twist... USB "key fobs" which contained identity for the user.
Place the fob in a USB port, start using the machine, and the machine
would read your identity files to establish the NFS connections it needed.
There were a few holes in the implementation design, but it was better
than what they had.

- Doug


Quoting Jonathan Stone (jonathan@dsg.stanford.edu):
> In message <20041109030840.GA879@panix.com>Thor Lancelot Simon writes
> 
> >Why should your use case take precedence over mine?
> 
> Thor, 
> 
> Partly from curiosity, partly devils-advocate:
> 
> Suppose NetBSD supported NFS with GSSAPI authentication (also
> sometimes calle "secure NFS"), and you had local /etc/krb5.keytab
> files with tickets on your clients (for root to do mounts at
> boot-time) and server (to authenticate the server to clients). Suppose
> further that this hypothetical NFS used opencrypto(9), with support
> for ~cheap accelerators.
> 
> How would that meet your needs?

-- 
Douglas Wade Needham - KA8ZRT        UN*X Consultant & UW/BSD kernel programmer
Email:  cinnion @ ka8zrt . com       http://cinnion.ka8zrt.com
Disclaimer: My opinions are my own.  Since I don't want them, why
            should my employer, or anybody else for that matter!