[OpenAFS] Re: Authentication without aklog

Andrew Deason adeason@sinenomine.net
Thu, 31 Jul 2014 17:32:53 -0500

On Thu, 31 Jul 2014 16:39:53 -0400
Dave Botsch <botsch@cnf.cornell.edu> wrote:

> On Linux, we use krb5-auth-dialog with its aklog plugin.
> Krb5-auth-dialog auto renews tickets and tokens, which is really nice
> (no need to run a separate krenew).
> On Mac (and replaced with krb5-auth-dialog for Linux), we use my now
> quite old AFSTokens application as an all-in-one app. Like I said, it's
> quite old and the code needs some updating, but it's there. And it works
> with cross-realm principals!

So, do I take this to mean, "these solutions work well enough for us, so
I don't really care"? :)

But even this seems like a good example of why some people are
frustrated or annoyed by all of this. Every single authentication
framework thing needs to have its own AFS plugin, or AFS tool, or
whatever; you just listed two different ones for two different
platforms. Wouldn't it be nice if everyone just needed a "krb5
plugin/tool/etc" instead of an krb5 and an AFS part? If that were true,
it would make AFS seem more like a normal (sane) piece of software, and
not its own weird special case.

I think that previously I thought that approach was impossible or
impractical, but more recently I've been thinking that that may not be
the case.

Andrew Deason