[OpenAFS] Re: Any budding documentation writers

Russ Allbery rra@stanford.edu
Wed, 03 Mar 2010 13:16:26 -0800


Andrew Deason <adeason@sinenomine.net> writes:
> Jeffrey Altman <jaltman@secure-endpoints.com> wrote:

>> As with any Kerberos based GSSAPI mechanism there needs to be a
>> credential cache.  Even klog.krb5 uses a credential cache.  It just
>> destroys the contents of the cache it creates after it is finished.

> This is what I didn't know. That seems crazy to me, but if that's what
> we've got, it's what we've got.

Well, bear in mind that one of the goals of rxgk is to have per-server
credentials, so that someone can set up an AFS file server without getting
the keys to the entire cell.  This means that a client may have to
authenticate separately with each server, which means that in a Kerberos
context one cannot do the current aklog trick of getting all the service
tickets one needs in advance.  You instead need to give rxgk a TGT so that
it can obtain new credentials to authenticate to other servers when
needed.

This in and of itself wouldn't require a ticket cache if there were some
way for rxgk to communicate Kerberos credentials down to the Kerberos
mechanism implementation through the GSSAPI API in the event that Kerberos
was a supported mechanism, but this both requires mechanism-specific
information in the front-end (which Simon is trying to avoid because it
does make your life more complicated and runs a significant risk of
breaking other mechanisms if you do it wrong), and requires a richer
GSSAPI API than is normally available.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>