[OpenAFS-devel] aklog on MacOS X was Re: Service Ticket Questions

[Jeffrey Altman]

This is a cryptographically signed message in MIME format.

--------------ms020606060104020002020901
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

David:

The goal is not to have a command line interface in place of a GUI.
The goal is for the user to never have to be involved or at least to
minimize the user involvement in authentication decisions as much as
possible.  Granted, there needs to be a mechanism by which users can
configure the bindings between the resource and the authentication
credential to be used.

Today in order to minimize the interactions with end users, we desire
the ability to utilize single sign-on and automatic credential renewal
via the Kerberos Login Library plug-in.  (Unfortunately, this is not
working quite right on Tiger.)

A binding is established by the Kerberos principal name stored in the
default credentials cache combined with the cell listed in the ThisCell
file.   When aklog is executed an AFS token is stored for the user in
the AFS kernel module.  The AFS kernel module then selects the
credential to use for any given directory by matching the
cellname the directory resides in to the cellname associated with the
token.  This produces a binding of one token per cell per user.

For users that have multiple cells they need to acquire tokens for
there is the "TheseCells" file.  Assuming all the tokens are acquired
using the same Kerberos principal, tokens for each cell listed in the
file are acquired in addition to the cell listed in the "ThisCell" file.
(Note to self, aklog must be modified to support "TheseCells".)
What we do not have at present is a mechanism by which tokens can
be obtained automatically for users when multiple Kerberos principals
must be used.

Assuming we can get this to work then AFS users only need to become
involved in obtaining credentials for use with AFS when:
(1) the Kerberos credentials could not be initially obtained at
    system login time (perhaps because there was no network
    connectivity)
(2) the Kerberos credentials expire
Since the AFS kernel module cannot prompt the user for tokens in that
case, we need a GUI such as "AFS Tokens.app" to provide end users the
interface required to request tokens.  I believe that in the short term
the "AFS Tokens.app" should work like this, a user should be
able to obtain a token with:

  + Cellname
  + Kerberos Principal Name
  + specify method (Kerberos 5 or Kerberos 5 to 4 translation)

"AFS Tokens.app" should call into the Kerberos Login Library to obtain
the credentials and the KLL should prompt the user for the Kerberos
password if required.

Thoughts?

Jeffrey Altman


David Botsch wrote:
> I've seen the opposite here... users much prefer a gui to having to do things
> in a commandline interface. As soon as you tell a user to go to the terminal or
> start up X11, the user's face blanks over.
> 
> On Tue, Mar 21, 2006 at 09:12:39AM -0800, Ernest Prabhakar wrote:
>> Hi lxs,
>>
>> On Mar 21, 2006, at 7:01 AM, Alexandra Ellwood wrote:
>>> Apple has such a tool.  It's called Keychain Access.  It stores  
>>> certs, passwords, identity preferences... basically anything living  
>>> in your keychain.  I can't speak for Apple (I'm not even an Apple  
>>> employee) but I'd place good money on this being where Apple would  
>>> display Kerberos and AFS credentials if they were doing the support  
>>> themselves.
>>>
>>> That being said I've never placed high priority on Kerberos support  
>>> in Keychain Access because Mac users don't seem to want it.  Mac  
>>> users want Kerberos to work without any interaction with any  
>>> tools.  They want to be prompted for tickets when they need new  
>>> ones (or have them automatically acquired in the pkinit case).
>> Um, I'm having trouble following this argument, but I want to make  
>> sure I understand your issue. I completely understand that AFS users  
>> don't want to run a GUI application.  But, I'm confused with how that  
>> impacts the issue of using "Keychain Services" as the underlying API  
>> and storage mechanism for managing AFS tickets:
>>
>> http://developer.apple.com/documentation/Security/Conceptual/ 
>> Security_Overview/Security_Services/chapter_4_section_6.html
>>
>> Presumably, it would be straightforward for AFS and Kerberos to use  
>> Keychain Services and provide their own CLI interface, no?  Or are  
>> you concerned about something completely different?
>>
>> -- Ernie P.
>>
>> _______________________________________________
>> OpenAFS-devel mailing list
>> OpenAFS-devel@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-devel
> 

--------------ms020606060104020002020901
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJXzCC
AwowggJzoAMCAQICAw7NrTANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwNTI3MTc0NzU3WhcNMDYwNTI3MTc0NzU3
WjBzMQ8wDQYDVQQEEwZBbHRtYW4xFTATBgNVBCoTDEplZmZyZXkgRXJpYzEcMBoGA1UEAxMT
SmVmZnJleSBFcmljIEFsdG1hbjErMCkGCSqGSIb3DQEJARYcamFsdG1hbkBzZWN1cmUtZW5k
cG9pbnRzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKjPyrF+rdjOUSK/
bWwZHdx5p1+y6iiCd4vvYEVDxouYFp5C/fZEWm5n45ubBUbMSUI1MAZN6ooEoH09UTj6BXhM
S8B987ls81dKOIUphTF2jOzq8gsFmeA15yHMRAD20LqUWeLyvYk8FCNQw+dsKMMhX+WdsxOm
RY/1jPkJL6oN8kEwoUFkOX9/OfWWh6oFnV6faiEHUKDMFubsb9X0KVD8iIeR7Cxz7i4kXqRX
wMlp2fyoxcDIJrBaTY8nA++g3p34IkWt1a5po6g683nIgSnGpwYIwuJheBqSEZfLYWa+1KdD
6Sn27Ud94GqUvPVG5jC6zVC5EJ2aWuoAu+nNuV8CAwEAAaM5MDcwJwYDVR0RBCAwHoEcamFs
dG1hbkBzZWN1cmUtZW5kcG9pbnRzLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUA
A4GBADtvO//tjiAV6VJGtoNtrl34mB5jGyGTiotzw8riB6zz0GvY11bcWDmp6JKif+pVG+8L
IySDosbuva13qu2HwYUxBmWc7CoNd2k9kRlcrfbDUTTrGOZK8qyqNqT3gQZTAa9ZnUI0su9G
y/n2o5bQcaYdqR3htNrpvdLSPOWhILOXMIIDCjCCAnOgAwIBAgIDDs2tMA0GCSqGSIb3DQEB
BAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBM
dGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0w
NTA1MjcxNzQ3NTdaFw0wNjA1MjcxNzQ3NTdaMHMxDzANBgNVBAQTBkFsdG1hbjEVMBMGA1UE
KhMMSmVmZnJleSBFcmljMRwwGgYDVQQDExNKZWZmcmV5IEVyaWMgQWx0bWFuMSswKQYJKoZI
hvcNAQkBFhxqYWx0bWFuQHNlY3VyZS1lbmRwb2ludHMuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAqM/KsX6t2M5RIr9tbBkd3HmnX7LqKIJ3i+9gRUPGi5gWnkL99kRa
bmfjm5sFRsxJQjUwBk3qigSgfT1ROPoFeExLwH3zuWzzV0o4hSmFMXaM7OryCwWZ4DXnIcxE
APbQupRZ4vK9iTwUI1DD52wowyFf5Z2zE6ZFj/WM+Qkvqg3yQTChQWQ5f3859ZaHqgWdXp9q
IQdQoMwW5uxv1fQpUPyIh5HsLHPuLiRepFfAyWnZ/KjFwMgmsFpNjycD76DenfgiRa3Vrmmj
qDrzeciBKcanBgjC4mF4GpIRl8thZr7Up0PpKfbtR33gapS89UbmMLrNULkQnZpa6gC76c25
XwIDAQABozkwNzAnBgNVHREEIDAegRxqYWx0bWFuQHNlY3VyZS1lbmRwb2ludHMuY29tMAwG
A1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAO287/+2OIBXpUka2g22uXfiYHmMbIZOK
i3PDyuIHrPPQa9jXVtxYOanokqJ/6lUb7wsjJIOixu69rXeq7YfBhTEGZZzsKg13aT2RGVyt
9sNRNOsY5kryrKo2pPeBBlMBr1mdQjSy70bL+fajltBxph2pHeG02um90tI85aEgs5cwggM/
MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMM
V2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25z
dWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYD
VQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv
bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5
WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRk
LjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2
vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9
A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEw
EgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0
ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0R
BCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GB
AEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZ
Ohl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVN
d+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDOzCCAzcCAQEwaTBiMQswCQYDVQQGEwJaQTElMCMG
A1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAw7NrTAJBgUrDgMCGgUAoIIBpzAYBgkqhkiG
9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNjAzMjIxNDM0MzlaMCMGCSqG
SIb3DQEJBDEWBBTGT+55oyr2vOhVo0X3cOLs2wBYqjBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqG
SIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG
9w0DAgIBKDB4BgkrBgEEAYI3EAQxazBpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3
dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJl
ZW1haWwgSXNzdWluZyBDQQIDDs2tMHoGCyqGSIb3DQEJEAILMWugaTBiMQswCQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAw7NrTANBgkqhkiG9w0BAQEFAASC
AQBzCzn8Gt7AF3h2kx8+wGqzBcSijgzji6VwYFR588m9LdWYGRZUr/B7K7Y8LbwoxklCgMsP
+fdZbzrjhJsVPagyC/nlnZaLKQeS1HWWJrNuslr9k9TWXOADbft+D5dFFNNedAXA6LNe1Yt7
yugOOHe3tzBYI1YRmzjuJvI6fkD5YG1Va2KMM2D/VWXhh9Vcl/UzUTzYy8JBaQtSq/bjScOO
fvA8LgVigwAscrmXtzl4spUrNcmM3bG0DLIVlGTxFZ3HoLyYbkzom8rRNUPnjGq+0+USBNCl
DhIrpNrKfNdmXdxsnDH7LiyjZzBQB4DK4PDvjfNxKfgAQLMpfiP36xVoAAAAAAAA
--------------ms020606060104020002020901--