[OpenAFS-devel] pagless authentication

Derek Atkins warlord@MIT.EDU
29 Sep 2003 11:11:27 -0400


Pete Zaitcev <zaitcev@redhat.com> writes:

> At one point, Derrik wrote:
> 
> > Currently it's possible to set a token when you have no pag, and these
> > become associated with the uid that set them. (The pag number is not the uid;
> > Instead any process without a pag but with a uid that has tokens associated
> > with it gets those tokens.) As long as the above don't bind tightly to a pag,
> > sure. 
> 
> I am curious about three things.
> 
> a. Is there a command line utility to do it, and if yes, which?
>    klog does not appear to have a key (-setpag does something else, right?)

Once you have a PAG you will always have a pag.  There is no way to
"drop a PAG".  Getting tokens (with or without a PAG) works the same
way -- you run klog, or kinit + aklog, or kinit + afslog, or one of
the miriad of other commands.

If you use "klog -setpag" then it will get you tokens AND give you a
new PAG.

> b. How long is the lifetime of these tokens, and where are they kept?
>    If all user's processes exit, do they stay behind?

The same lifetime.  The tokens are the same, regardless of whether you
use a PAG or not.  They are STILL stored in the kernel.  They will NOT
go away if your processes exit (neither will tokens in a PAG).  They
will hopefully get garbage collected later on (like after they
expire), but that assumes the GC is running and working properly.

> c. Is it a property of OpenAFS or Transarc AFS?

Yes.

> -- Pete

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available