[OpenAFS] Redux: Linux: systemctl --user vs. AFS

Stephen stephen@email.unc.edu
Thu, 5 Aug 2021 12:32:33 -0400 (EDT)

Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8BIT


Thanks for the reply.

On Thu, 5 Aug 2021, spacefrogg-openafs@spacefrogg.net wrote:

> While this thread is live again, let me contribute my own findings on 
> this. Our network runs mainly NixOS machines.
> For us, using sssd for Kerberos ticket management turned out to be a huge 
> benefit, mainly for its centralized ticket refresh functionality. We hold 
> users' tickets in well-known files. Using sssd lifts the necessity to 
> have the directory holding ticket caches user-writable. So, well-known 
> cache files is not a security concern anymore.
> We use systemd, as well. We have set up the systemd-user@.service in a 
> way, that it acquires an AFS token before starting. Thus, all dependent 
> user services have AFS access. This is what we need well-known ticket 
> cache files for. PAM has already run at the time, so the cache is hot.

That approach sounds interesting. Are the specifics documented anywhere for 
someone wanting to replicate and evaluate it?

> Lingering does obviously not work with this setup.
> We use nopag tokens, as we don't believe in its added security promises. 
> In parallel, we allow ticket forwarding for remote logins, mainly for the 
> benefit of single sign-on. So, this circumvents most promises, PAGs would 
> give us anyway.
> nopag also allows us to post-acquire AFS token for systemd services of a 
> running session, which is important for road-warrior (does one still use 
> this term?) setups.
> PAGs are a big usability bonus, though, when using pagsh to temporarily 
> acquire an administrative shell.

I have also enjoyed this functionality historically. My worry though is if 
you use nopag everywhere, but then use pags for admin tasks, what happens 
if you accidentally start a shared process (sshd, etc) from an admin PAG 
when you and/or the process are assuming tokens are per-uid, rather than 

To the best of my knowledge, there's no way for a process to drop a PAG 
once it is started within one and once you're in a PAG, tokens are then 
per-pag and not per-uid. That's why I took the hybrid approach where ssh's 
pam still creates PAGs on login (basically all of my admin occurs via ssh 
either manually or via ansible).

Someone please correct me if my assumptions or understanding are wrong!

> Hope this helps!
> –Michael
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info