[OpenAFS] Native Kerberos 5 authentication in openafs-1.4

Earl Shannon Earl_Shannon@ncsu.edu
Thu, 15 Sep 2005 10:31:20 -0400


This is just a minor point, and if using aklog is where things go
then fine.  If I understand you correctly Ken, then aklog is getting
my token/ticket as part of setting up a session at login as a
separate application of sorts. And as I say that's fine. But my
point is I don't get a ticker for say, IMAP, until I start a mail
client and it attempts to login to the IMAP server.  I'm suggesting
that the afs token/ticket doesn't need to be obtained until the
user attempts to make use of AFS, ie, by cd 'ing into the AFS
file system. And its at that point that the authentication to AFS
occurs. Using aklog as part of a session setup is a "pre-authentication"
of sorts.

Now, since most sites using AFS put peoples home file
space in AFS, the session setup getting the token is a good
and currently necessary, thing. :)

Earl Shannon

Ken Hornstein wrote:

>>While probably not the case I can only hope that the exclusion of the tools
>>is because they want to do a better job of inter operating with the KDC.
>>In my opinion that would mean dropping the need for aklog and asetkey.
>>After all aklog is basically a second authentication.
>You are incorrect.  Aklog is simply the program that takes your Kerberos
>tickets and makes them available to AFS (possibly getting a Kerberos
>ticket for AFS, but it doesn't ask for a password).  In this sense, it
>behaves just like every other Kerberized application.  If you arrange for
>aklog to be run at login time, it becomes an essential component of
>single sign-on (you don't have to use aklog per se, you can use a PAM
>module that does aklog-like things).
>>Why can't the 
>>take place the same way as say, using an IMAP server?. You access the 
>>( cd to /afs ) and get asked for your credentials.
>If you can figure out how to make this happen in a portable manner, let
>me know.
>>And asetkey simply puts the principal afs into a keyfile that afs knows how
>>to read. Well, make afs read the kerberos key file where it is as it is.
>That's not unreasonable.  I suspect sometime in the future someone will
>do that.  But it's worth pointing out that you don't technically need
>asetkey; you can use klist to read the raw key data (-K in MIT
>Kerberos), and Heimdal already knows how to write a AFS KeyFile.  I'm
>not saying asetkey won't get added, but there was a finite amount of
>time before the 1.4 branch was cut, and I only had the free time to do
>OpenAFS-info mailing list