[OpenAFS] Re: feasibility of moving lightweight-principals issue "upstream" to kerberos

Adam Megacz megacz@cs.berkeley.edu
Mon, 02 Jan 2006 22:37:58 -0800

Jeff, your solutions are a bit like saying that everybody should just
be happy using an 8086 CPU because it's Turing-complete.  It's not
"wrong", but if users have to jump through a lot of hoops, or even one
hoop *per cell*, they'll simply avoid AFS.

Furthermore, while your Network Identity Manager thing is indeed quite
cool, it is unfortunately Windows-specific.

  - a

Jeffrey Altman <jaltman@secure-endpoints.com> writes:
> Adam Megacz wrote:
>> Yes.  One facet of what I'm getting at is that users should be able to
>> use face-to-face interaction as an authentication mechanism if their
>> AFS admins wish to allow that in their cell.  Right now there is a
>> technological barrier to this policy option.
> I really think you are confusing the authentication and authorization
> issues.   AFS does not manage identification.   That is performed by
> whatever authentication system you are using.   If you want to setup
> an authentication model that allows identities to be issued based upon
> one user in your authentication domain vouching for another, by all
> means implement a web interface that allows that.   However, this has
> nothing at all to do with AFS which is simply a service that relies
> on an external authentication service.
> As I have pointed out numerous times this past week, if you can control
> a DNS domain then you can deploy a Kerberos realm and as the
> administrator of that realm you can implement whatever policy your heart
> desires.
> I have also described how you can use authentication services other than
> Kerberos with AFS by implementing a token issuing daemon that accepts
> your authentication mechanism and returns a token to the end user.
> The new Network Identity Manager that is being shipped with MIT Kerberos
> for Windows and will be distributed with OpenAFS in a future release is
> entirely modular.  You can implement your own "identity" modules for it
> that can support your authentication model.   For Unix, you can
> implement your own command line tools and PAM modules to obtain tokens
> for your users.
> Jeffrey Altman

PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380