[OpenAFS] Authentication without aklog

Douglas E Engert deengert@gmail.com
Mon, 04 Aug 2014 15:21:36 -0500

On 8/4/2014 6:38 AM, chas williams - CONTRACTOR wrote:
> On Fri, 1 Aug 2014 17:35:15 -0500
> Troy Benjegerdes <hozer@hozed.org> wrote:
>> The problem with AFS seems to be everyone who knows you need to 'kinit ; aklog'
>> and it's been so long we have all forgotten the experience of what it was like
>> before we realized this.
> It has been a while but I believe I was told that you had to run aklog
> because you were "logging into the storage".  This made sense at the
> time since I couldn't access a remote system without first logging into
> it as well.  We weren't big users of NFS at the time and this didn't
> seem unusual.

User's have to "login" to other "network file systems" like DropBox, Box,
or other Cloud systems. The issue of having to login twice, is a trust issue.
Users live with it every day, on the Web.

They do complain about multiple logins, so systems like Shibboleth, ADFS and other
SAML based identity management can extend that trust across more systems
and federations like InCommon.

AFS was just way ahead of it time...

12 years ago I wrote gssklog and gssklogd, that could use the
Globus GSI a GSS implementation using PKI.  The AFS cell admin would
run the gssklogd and it would send send AFS  tokens back to a client
running the gssklog started by a Globus program. This then allowed
non-kerberos 5 sites to use AFS from Globus and Grid Proxy certificates.

CERN was using it up to 2012:

So single sign-on is possible, but its a matter of trust.

> I would hazard that rpc.gssd exists because someone didn't want to
> alter the "NFS experience".

And they made the assumption NFS would trust the workstation login,
i.e. both used Kerberos, and a login to the workstion was a network login.

> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


  Douglas E. Engert  <DEEngert@gmail.com>