[OpenAFS-devel] aklog on MacOS X was Re: Service Ticket Questions
Ken Hornstein
kenh@cmf.nrl.navy.mil
Tue, 21 Mar 2006 13:07:32 -0500
>http://developer.apple.com/documentation/Security/Conceptual/
>Security_Overview/Security_Services/chapter_4_section_6.html
>
>Presumably, it would be straightforward for AFS and Kerberos to use
>Keychain Services and provide their own CLI interface, no? Or are
>you concerned about something completely different?
I can't speak for lxs, but here's my take after reading the documentation
you referenced.
The focus of the Keychain seems to be on storing "long term" secrets;
in other words, passwords. I know it can store other things, but the
majority of the documentation and examples talk about that.
The problem is that AFS tokens are "short lived" secrets; you get a new
one every time you re-authenticate to Kerberos. Maybe you could fit it
in there, but it's not obvious to me how you would do it. I think to
really make it work you'd need to extend how Keychain works.
Shifting gears a bit ... as long as we're talking about OpenAFS, MacOS
X, and the AFS token, it would be useful if we could reference AFS
tokens by the MacOS Security Session (the one that's created by
SessionCreate()), rather than by userid as we do now. I guess all we
would really need from the MacOS side is a way inside of the kernel
to know what session a particular process belongs to. This would
let us do PAGs the "right" way on MacOS X.
--Ken