Distauth: AFS

In this section

• Introduction
• Authentication
• Form-based Documentation
• Authentication Process
• Security Evaluation
• AFS
• Classlists

An Overview of AFS

AFS is a distributed file system product, pioneered at Carnegie Mellon University and supported and developed as a product by Transarc Corporation (now IBM Pittsburgh Labs). It offers a client-server architecture for file sharing, providing location independence, scalability, and transparent migration capabilties for data. For further information, view the AFS Frequently Asked Questions site.

Distributed Authentication and AFS

The distributed authentication service uses AFS as part of its recommended security scheme for user authentication. More specifically, the cookie in the user's Web browser is checked out for consistency against the AFS token file containing similar data. To use this service, the local Web server must be able to read the contents of a restricted authentication directory. Reading the file implies two things:

• The local Web server must be authorized to read the file. Email afs-setup@ucdavis.edu. and request that the IP address of your server be authorized to read the authentication directory.
• The local Web server must be capable of reading files in AFS space. There is a difference between a user being able to access AFS space via an AFS proxy server and the server itself having direct AFS access. Distauth requires direct AFS access.

Classlists and AFS

As part of the Distauth, IET and the Office of the Registrar provide access to the UCDLoginIDs of the members of each active class on campus. The purpose of these lists is to provide a means of authorization. By restricting access according to class membership, the intellectual property rights of the faculty member who is posting material to the Web can be properly enforced.

The lists are updated nightly. Read access to these lists implies three things:

• The local Web server must be authorized to read the file. Email (afs-setup@ucdavis.edu). and request that the IP address of your server be authorized to read the classlist directory and the authentication directory.
• The local Web server must be capable of reading files in AFS space. There is a difference between a user being able to access AFS space via an AFS proxy server and the server itself having direct AFS access. The reading of classlists requires direct AFS access.
• Your Web server must be secure. In this case, this means that is should be accessed only by the Webmaster and system administrator, and kept in a secure location.

For further information, view the classlist page.

Campus Access and AFS

When a Web site is secured and no more restrictive file access is specified, the Web site will be accessible to anyone with a valid UCDavis LoginID and Kerberos password. The community with such access includes students, staff, faculty, and sponsored campus affiliates.

• The local Web server must be authorized to read the file. Email afs-setup@ucdavis.edu. and request that the IP address of your server be authorized to read the the campus authentication directory. If you have previously contacted afs-setup and requested access to AFS to provide strict security, then you do not need to complete this step.
• The local Web server must be capable of reading files in AFS space.
• Your Web server must be secure. In this case, this means that it should be accessed only by the Webmaster and system administrator, and kept in a secure location.

Acquiring AFS Client Software

AFS client software is available for Windows, Mac, and Unix. AFS client software is available from OpenAFS. IBM has continued to provide updates to their client software as well.