[OpenAFS] "automatic" aklog?

Russ Allbery rra@stanford.edu
Mon, 02 Jan 2006 22:37:01 -0800

Adam Megacz <megacz@cs.berkeley.edu> writes:

> One other aspect of my goal is to effectively have aklog become
> "automatic".  That is, if a user's krb5 credentials cache has changed in
> any way since the last time s/he accessed a particular cell, the cache
> manager would ask afsd to run aklog (or perform equivalent action) on
> behalf of that user.

This would become *much* easier if the kernel credential cache code for
Linux were finished and Kerberos started using it as well as AFS.

> Is there a reason -- other than "nobody's had time to implement it" --
> that this is not already the case?

Yes, doing that sort of callback from kernel space back to userspace is
tricky to get right from a security standpoint, and even once you've done
that, you don't know what user credential cache to use (since that
information is in the process environment, to which you don't have access
from kernel code).

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>