On Wed, May 01, 2002 at 01:33:18PM -0500, Bob Tanner wrote: > Quoting Chad Walstrom (chewie at wookimus.net): > > Frankly, I would love to do other things to enhance security before > > incorporating Kerberos. i.e. NFS over TCP+ssl, etc. > > Isn't that just AFS+Kerberos = NFS+TCP+ssl? As far as security goes, maybe. Functionality, not even close. NFS - Uses UNIX native permissions - Easily compromised from a local root user su-ing to another user - Local area file system - Lots of little exports - Use what the OS gives you - Uses groups from yp and /etc/group - Uses standard unix file system tools (chmod, chown, etc) - Client keeps a cache of a few MB AFS - Uses fine grained ACLs (read, lookup, insert, delete, write, lock, admin) - Each person must be authenticated with Kerberos - Global file system - One common view of the AFS tree - Built in volume manager - Users can make their own groups and add whoever they want - Comes with it's own file system tools (fs, pts, etc) - Client keeps a cache of 50 - 100 MB Not that I wanted to start an NFS vs AFS flamewar. Just don't insult AFS as being like NFS. Nate ex-AFS user