Excerpts from Firewalls: 26-Oct-93 System Security Richard
> And if you suggest to an Athena-type person that maybe two people
> might actually want to *share* a machine, especially at the *same
> time*, they look at you with horror and tell you that such a thing is
> completely insecure. (The Kerberos authentication approach is
> susceptible to attack on multi-user systems. Breaking Kerberos can
> also break AFS security.)
What leads you to believe that AFS or DCE relies on a
one-person/one-machine concept? I can assure you it does not.
AFS authentication tokens are stored in the kernel of the authenticating
host, and cache chunks are root-protected on a disk or stored in RAM.
Neither the tokens nor the cache needs to reside on the local (physical)
machine. The only user that has access to cached data or stored tokens
is the root account on the cache manager host.
True, the host which runs the cache manager needs a protected root
password, but I wouldn't by any means say that this constitutes
"complete insecurity" -- it makes the system as secure as the root
password of the cache manager.
Physical security is always the lowest common denominator in *any*
secure system. You of course don't want to make it easy for the locals
cart off your disks, or boot your server in single-user mode in the wee
> I hope that when (if?) DCE and friends become available, they do not
> rely on the same one person/one machine ideal. We don't need another
> NFS or Athena, we need a robust, trustworthy, multiplatform,
> multiuser-safe system to protect our data. (I'm not holding my
> breath waiting for such a system to appear, however.)
You wouldn't have to wait long -- its here. ;-)