[OpenAFS-devel] aklog on MacOS X was Re: Service Ticket Questions

[Henry B. Hotz]

I personally have no problem with integrating Kerberos into Keychain  
Access, especially if there is an integrated way to show AFS tokens  
as well.  Sounds like a good idea.

However I put out a list of 6 things that we need for AFS on the Mac  
and the GUI's were the last item.  We seem to be stuck between 1 and 2.

On Mar 21, 2006, at 9:12 AM, Ernest Prabhakar wrote:

> Hi lxs,
>
> On Mar 21, 2006, at 7:01 AM, Alexandra Ellwood wrote:
>> Apple has such a tool.  It's called Keychain Access.  It stores  
>> certs, passwords, identity preferences... basically anything  
>> living in your keychain.  I can't speak for Apple (I'm not even an  
>> Apple employee) but I'd place good money on this being where Apple  
>> would display Kerberos and AFS credentials if they were doing the  
>> support themselves.
>>
>> That being said I've never placed high priority on Kerberos  
>> support in Keychain Access because Mac users don't seem to want  
>> it.  Mac users want Kerberos to work without any interaction with  
>> any tools.  They want to be prompted for tickets when they need  
>> new ones (or have them automatically acquired in the pkinit case).
>
> Um, I'm having trouble following this argument, but I want to make  
> sure I understand your issue. I completely understand that AFS  
> users don't want to run a GUI application.  But, I'm confused with  
> how that impacts the issue of using "Keychain Services" as the  
> underlying API and storage mechanism for managing AFS tickets:
>
> http://developer.apple.com/documentation/Security/Conceptual/ 
> Security_Overview/Security_Services/chapter_4_section_6.html
>
> Presumably, it would be straightforward for AFS and Kerberos to use  
> Keychain Services and provide their own CLI interface, no?  Or are  
> you concerned about something completely different?
>
> -- Ernie P.
>