[OpenAFS] Re: Authentication without aklog

Douglas E Engert deengert@gmail.com
Mon, 04 Aug 2014 14:34:33 -0500

[ Hit the wrong button, let me finish my reply below...]

On 8/1/2014 7:50 PM, Andrew Deason wrote:
> On Fri, 1 Aug 2014 18:59:02 -0500
> Troy Benjegerdes <hozer@hozed.org> wrote:
>> Doesn't this provide some sort of key management?
>> http://docs.oracle.com/cd/E23823_01/html/821-2730/gkwrk.html
> The Oracle Key Manager thing I thought was for x.509 certs, but I could
> be wrong. I've never seen krb5 stuff use anything besides the normal
> file-based ccaches on Solaris.
>> It appears to me that most OSes have gone quite a bit beyond what kinit
>> and aklog do, and we keep trying to use aklog to adapt square pegs to
>> round holes because that's what we did when there was no hole or api to
>> adapt to and we had to write it.
> The interface/API/framework/etc that you want to leverage is rpc.gssd
> (or gssd or whatever on various platforms). It is NFSv4-specific and not
> general purpose. To do what you are saying would be to ask rpc.gssd for
> credentials and use those; I do not think that's possible, but I haven't
> tried, and I would love to be wrong about that.
> If you are surprised or do not believe me that this is general purpose,
> well... besides us, nobody besides (some) NFSv4 has ever really had a
> need for accessing krb5 creds from the kernel (at least "historically").

Well DCE/DFS did, and they did it by by having a daemon, which I don't
remember it name. I believe that is where the NFS gssd got the idea.
DCE inforced a KRB5CCNAME of the ticket cache, in some thing like
/var/dce/creds/<cachename> where the <cachename> contained the PAG
number. On AIX at least, DCE/DFS and AFS used the same PAG.

> Userspace processes do this all the time and that's relatively easy, but
> the kernel is an entirely different matter. Even besides the matter of
> authentication, some platforms have a lot of assumptions that any
> non-local network filesystem is NFS.
> As mentioned, the Linux kernel keyring ccache type is an exception to
> this, and is generally what we want. But it's new and certainly not
> commonplace enough to just assume that's what everyone is using. Some
> day it may be that way, but that is not now. I am not aware of any other
> platform that has something analagous to that (I admit I am rather
> ignorant of how OS X's API: ccache works, or Windows' MSLSA: or whatever
> it is).


  Douglas E. Engert  <DEEngert@gmail.com>