16. The Andrew File System – (AFS)
ASU supports the Andrew File System (AFS) which in turn supports a number of useful security features. First, all usernames and passwords are kept in a central database that all of the communication and contents to that database are encrypted. Passwords are not kept on the client workstations. So if a hacker looks for passwords in /etc/passwd or /etc/shadow they will be disappointed. AFS also includes Kerberos as a built in feature of the system. Access to any part of the file space under AFS is controlled by special tokens. In order to get a token, a user must present a username and password at login time which is then authenticated via Kerberos.
Second, AFS make systems administration of usernames and passwords pretty easy. Once the AFS client is installed on a system, the system administrator simply puts entries into /etc/password that have an X in the password field. Typically, the home directory points to somewhere in AFS file space. For example, an entry in /etc/passwd might look like this:
Now, the user “johndoe” can log into any AFS client system using the same password. Again, all communications between the AFS client and the AFS servers are encrypted. So, there is little fear of Ethernet sniffing or other attempts to steal a password off the network.
To get an ASURITE userid into ASU’s Kerberos database, the user need only apply for one at the Accounts Office in the Computing Commons building.
While AFS has many other benefits, the security benefits alone are worth considering running AFS clients. For more information and AFS and the newer Distributed Computing Environment (DCE) see http://www.transarc.com.