[OpenAFS] Re: Authentication without aklog

Dave Botsch botsch@cnf.cornell.edu
Fri, 1 Aug 2014 10:52:38 -0400

On Thu, Jul 31, 2014 at 05:32:53PM -0500, Andrew Deason wrote:
> So, do I take this to mean, "these solutions work well enough for us, so
> I don't really care"? :)

No, not in the least. I care very very much and wish I had the time to
improve the AFSTokens app.

Certainly there's always that easier 95% that gets one most of the way
there and then that last, slow 5% which hinges on whether the first 95%
is "good enough".

The user experience is paramount. The average user honestly doesn't care
if under the hood of whatever credential tool there is a plugin or two
or three or none.  In our experience, all the user cares about is being
able to easily get AFS Tokens and not having to worry about the
difference between Kerberos tickets and AFS Tokens. That is, the user
types in their username and password and... done. 

IMHO, krb5-auth-dialog, AFSTokens, PAM logins via gdm and sshd,
afscreds.exe, windows integrated login, and mac os x integrated login
all provide this vital user experience.

The administrator is a different discussion, of course :)

David William Botsch