[OpenAFS] kaserver deperecation, OpenAFS future, etc...

Ken Hornstein kenh@cmf.nrl.navy.mil
Thu, 19 Oct 2006 10:28:04 -0400 

>I spent weeks poking around at it several months ago.  We
>*were* well on our way toward a KDC-auth setup in our little
>corner.  I wouldn't *strongly* recommend it to anyone who
>expects users to get tokens automatically when they login.
>But usability is of no real concern to security guys.

I don't think that's quite fair.  We've been getting AFS tokens at
login time automatically for ... I guess it's more than 8 years now
(I'm talking about Kerberos 5 + aklog).  I consider myself a security
guy, and usability is definately one of my concerns ... we have to
balance it against security, of course, but getting AFS tokens at login
time is really a no-brainer.  You make it seem like we're all
conspiring in some dark basement against you:  "Hahaha, by silently
deprecating kaserver, we're REALLY going to stick it to Mitre this
time!".

The reality is more complex.  It's been possible to use your Kerberos 5
KDC with AFS (even IBM AFS) for a long time.  I gave a presentation
about my work on this back at the 1998 (or was it 1997?) Decorum ...
and I wasn't the first.  Okay, using a V5 KDC with AFS was on the
fringe back then; you had to collect tools from a few different places
together to make it all work.  It's been more and more common recently;
now nearly all of the tools you need to do it are included with OpenAFS,
and people have some not-bad writeups in the Wiki explaining what you need
to do.

Unfortunately, like many open-source projects, the documentation and
integration pieces aren't the best.  It's all a matter of resources;
once you spend time figuring something out, you don't have much time to
write it down for other people.  I personally don't think the
documentation in the migration kit is so bad (I'm biased, because I
wrote it), but that only got written because my boss specifically asked
me to.  I don't work on PAM because I think it's evil (I'm sort-of PAM
agnostic), but because we have a non-PAM solution working for every
system we care about that gets AFS tokens just fine, so I don't care
that much about it.  Maybe if I had some free time I'd work on it ...
but I don't.  So it's not like we're actively trying to make usability
worse ... it's just that the out-of-the-box experience right now isn't
great because no one has the time or energy to devote cycles to the big
picture.

--Ken