[OpenAFS-devel] [LKML] Re: In-kernel Authentication Tokens (PAGs)

[Tomas Olsson]

Frank Bagehorn <FBA@zurich.ibm.com> writes:

> > if you don't have an allocated PAG (PAG@localhost session key?), your
> > uid is used as the key under which to store your tokens. This is handy
> > as you don't need to initialize tokens for every login if you do
> > several.
>
> And it becomes a problem in a case where e.g. several admins log into the
> root account.  You do want them to have separate PAGs with their
> credential. You don't want to get another admins AFS token just because
> he logged in...
>
True. Shared logins are tricky, and ticket forwarding changes a lot of
things. One could argue that a daemon that receives forwarded tickets
should give you a new PAG. Should this be up to the daemon or be an OS
decision?

The question is in which cases a default PAG is desirable or undesirable,
or where the possibility to join a PAG in some way could be a solution.

What is natural for a user? Desired semantics on multiple rsh calls to my
number crunching nodes? RSA authenticated SSH? Attaching to screen
sessions? RDP/vnc/... sessions?

Yes, we are getting farther away from the original PAGs. I don't care so
much about what the current implementation does if it isn't what we really
want. Besides, similar things are likely to be included in several OSes, so
we'd better get this one right.  From what I hear, OpenBSD will probably
include a sane PAG (or whatever) implementation if they get a patch. We
need a spec.

Speaking for myself, I like default PAGs. But then I don't forward tickets
for my root logins. I rarely need them.

/Tomas