[securenfs-devel] Mapping all users to a server-side username

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Nathan Yocom wrote:
>> Actually, I was thinking that we could do this on the client side.
>> For example:
>>
>>   <user localid="*" remoteid="username"/>
>>
>> instead of adding the map option.
> 
> 
> 
> Thats what I am wondering - could it make sense to have it on both 
> sides?  That way, an administrator could restrict all access from a 
> certain machine to a particular user account - without having to trust 
> the client machine to configure it. 
>

Well, from a useability standpoint, that might be kind of confusing.
A client may set up one mapping (local user to remote user), and
the server would make another mapping.  Perhaps it makes the most
sense to not allow the server to do any user/group mappings at all.
It only knows that the client has permissions (a token) to connect
as a certain user.

Which brings up another point.  Say localUserA logs in and gets a token
for remoteUserA.  Then localUserB logs in and is mapped to the
same remoteUserA.  localUserB should then need to provide the
password for remoteUserA, and once authenticated would get a seperate
token.  Now, the server doesn't know the difference between localUserA
and localUserB, he doesn't need to.  So should we have two different
tokens or just a single token shared by both?

Dave

P.S.  When did you get your own domain (yocom.org)?

-- 
----------------------------------------------------------------
I encourage correspondence using GnuPG/OpenPGP encryption.
My public key:  http://www.cs.plu.edu/~dwolff/pgpkey.txt