[OpenAFS] Re: Authentication without aklog

Andrew Deason adeason@sinenomine.net
Fri, 1 Aug 2014 19:50:56 -0500

On Fri, 1 Aug 2014 18:59:02 -0500
Troy Benjegerdes <hozer@hozed.org> wrote:

> Doesn't this provide some sort of key management?
> http://docs.oracle.com/cd/E23823_01/html/821-2730/gkwrk.html

The Oracle Key Manager thing I thought was for x.509 certs, but I could
be wrong. I've never seen krb5 stuff use anything besides the normal
file-based ccaches on Solaris.

> It appears to me that most OSes have gone quite a bit beyond what kinit
> and aklog do, and we keep trying to use aklog to adapt square pegs to 
> round holes because that's what we did when there was no hole or api to
> adapt to and we had to write it.

The interface/API/framework/etc that you want to leverage is rpc.gssd
(or gssd or whatever on various platforms). It is NFSv4-specific and not
general purpose. To do what you are saying would be to ask rpc.gssd for
credentials and use those; I do not think that's possible, but I haven't
tried, and I would love to be wrong about that.

If you are surprised or do not believe me that this is general purpose,
well... besides us, nobody besides (some) NFSv4 has ever really had a
need for accessing krb5 creds from the kernel (at least "historically").
Userspace processes do this all the time and that's relatively easy, but
the kernel is an entirely different matter. Even besides the matter of
authentication, some platforms have a lot of assumptions that any
non-local network filesystem is NFS.

As mentioned, the Linux kernel keyring ccache type is an exception to
this, and is generally what we want. But it's new and certainly not
commonplace enough to just assume that's what everyone is using. Some
day it may be that way, but that is not now. I am not aware of any other
platform that has something analagous to that (I admit I am rather
ignorant of how OS X's API: ccache works, or Windows' MSLSA: or whatever
it is).

Andrew Deason