[AFS3-std] Re: tokens for bosserver

Andrew Deason adeason@sinenomine.net
Sat, 16 Feb 2013 15:42:07 -0600


On Sat, 16 Feb 2013 15:26:43 +0000
Simon Wilkinson <simon@sxw.org.uk> wrote:

> There's two issues here. Firstly, only machines hosting vlservers have
> access to the key material necessary to accept GSSNegotiate calls for
> afs-rxgk@_afs.cell. Machines with the rxgk cell-wide key can accept
> rxgk challenges using cell-wide tokens, but the failure mode here is
> such that I don't think you'd want to base a key negotiation on it.

What failure mode?

> Secondly, in situations where bos is managing servers for multiple
> cells, how do you decide which afs-rxgk@_afs.cell to use?

Possibly the simplest way is just to not support using the cell-wide key
for bozo when you want to control several cells with it. But there are
several other options (to pick a few: pick one with -cell like we do
now, use separate bosservers for each cell, somehow accept any like HTTP
negotiate auth can do).

-- 
Andrew Deason
adeason@sinenomine.net