[OpenAFS] Re: Authentication without aklog

Dave Botsch botsch@cnf.cornell.edu
Fri, 1 Aug 2014 10:55:21 -0400

Well, is anything really transparent for the administrator? Especially
w.r.t. AFS, where the admin has to also configure the ThisCell, the afs
cache size (pre-allocate a cache partition, too, on linux), edit
ThisCell to be reasonable, and set numerous other client options (config
files on mac and linux and "ew" registry on Windows)?

A GUI installer/config doo-hickey would certainly be nice, of course,
for the less tech saavy administrator or the end user trying to install
AFS and needing to configure some of those other options (esp, again, on
non Windows/Mac). I enjoy the cell input dialog and the windows gui
installer. But, for more managed installations, I'm also glad that on
linux they aren't required (just install the rpm and push out some
config files).

W.r.t. PAM, I like the idea of AFS being just another PAM module, versus
some other mechanism that's different from anything else.

Could AFS work like other Kerberos apps with more direct use of kerberos
tickets and just getting the service ticket when needed, versus having
to do something extra (ie aklog)? Dunno. Would be nice, but not
required, IMHO, as long as the user experience is sane.

On Fri, Aug 01, 2014 at 09:40:39AM -0500, Andrew Deason wrote:
> On Fri, 1 Aug 2014 07:02:34 -0400
> chas williams - CONTRACTOR <chas@cmf.nrl.navy.mil> wrote:
> > On Thu, 31 Jul 2014 15:29:47 -0500
> > Andrew Deason <adeason@sinenomine.net> wrote:
> > 
> > > The first time I heard this I was a bit surprised, but that may be just
> > > because I'm very used to the 'aklog' approach and find it intuitive. You
> > > need to tell the kernel what credentials you want it to use for AFS
> > > access; makes sense to me.
> > 
> > Usually, aklog is handled transparently here, either via MIT's krb5
> > login (et al) client calling out to aklog or via pam_krb5. 
> This isn't "transparent" for the administrator, though. You had to
> install an afs-specific pam module, or specify that something runs
> aklog; something like that. (And of course, that's only for things that
> run through PAM.)
> > > The alternative is to effectively "guess" what credentials we should
> > > be using, which is what NFSv4 does (rpc.gssd).[...]
> > 
> > Not impossible for Linux.  I believe that the Linux keyring code
> > allows for down calls from the kernel to user space in order to ask
> > something to insert the appropriate keys (see keys-request-key.txt in
> > the Linux kernel).
> We can do a userspace upcall on any platform; that's not the hard part...
> -- 
> Andrew Deason
> adeason@sinenomine.net
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

David William Botsch