288 NFS
MIT’s Project Athena attempted to add security to NFS using a network
security system called Kerberos. True to its name, the hybrid system is a
real dog, as Alan Bawden found out:
Date: Thu, 31 Jan 91 12:49:31 EST
From: Alan Bawden <[email protected]>
To: UNIX-HATERS
Subject: Wizards and KerberosIsn’t it great how when you go to a Unix weenie for advice, he never
tells you everything you need to know? Instead you have to return to
him several times so that he can demand-page in the necessary infor-
mation driven by the faults you are forced to take.Case in point: When I started using the Unix boxes at LCS I found
that I didn’t have access to modify remote files through NFS.
Knowledgeable people informed me that I had to visit a Grand
Exalted Wizard who would add my name and password to the
“Kerberos” database. So I did so. The Grand Exalted Wizard told me
I was all set: from now on whenever I logged in I would
automatically be granted the appropriate network privileges.So the first time I tried it out, it didn’t work. Back to the Unix-knowl-
edgeable to find out. Oh yeah, we forgot to mention that in order to
take advantage of your Kerberos privileges to use NFS, you have to
be running the nfsauth program.OK, so I edit my .login to run nfsauth. I am briefly annoyed that nfs-
auth requires me to list the names of all the NFS servers I am plan-
ning on using. Another weird thing is that nfsauth doesn’t just run
once, but hangs around in the background until you log out. Appar-
ently it has to renew some permission or other every few minutes or
so. The consequences of all this aren’t immediately obvious, but
everything seems to be working fine now, so I get back to work.Eight hours pass.Now it is time to pack up and go home, so I try to write my files back
out over the network. Permission denied. Goddamn. But I don’t have
to find a Unix weenie because as part of getting set up in the Ker-
beros database they did warn me that my Kerberos privileges would
expire in eight hours. They even mentioned that I could run the kinit
program to renew them. So I run kinit and type in my name and pass-
word again.