[OpenAFS] kaserver deperecation, OpenAFS future, etc...
Thu, 19 Oct 2006 10:28:04 -0400
>I spent weeks poking around at it several months ago. We
>*were* well on our way toward a KDC-auth setup in our little
>corner. I wouldn't *strongly* recommend it to anyone who
>expects users to get tokens automatically when they login.
>But usability is of no real concern to security guys.
I don't think that's quite fair. We've been getting AFS tokens at
login time automatically for ... I guess it's more than 8 years now
(I'm talking about Kerberos 5 + aklog). I consider myself a security
guy, and usability is definately one of my concerns ... we have to
balance it against security, of course, but getting AFS tokens at login
time is really a no-brainer. You make it seem like we're all
conspiring in some dark basement against you: "Hahaha, by silently
deprecating kaserver, we're REALLY going to stick it to Mitre this
The reality is more complex. It's been possible to use your Kerberos 5
KDC with AFS (even IBM AFS) for a long time. I gave a presentation
about my work on this back at the 1998 (or was it 1997?) Decorum ...
and I wasn't the first. Okay, using a V5 KDC with AFS was on the
fringe back then; you had to collect tools from a few different places
together to make it all work. It's been more and more common recently;
now nearly all of the tools you need to do it are included with OpenAFS,
and people have some not-bad writeups in the Wiki explaining what you need
Unfortunately, like many open-source projects, the documentation and
integration pieces aren't the best. It's all a matter of resources;
once you spend time figuring something out, you don't have much time to
write it down for other people. I personally don't think the
documentation in the migration kit is so bad (I'm biased, because I
wrote it), but that only got written because my boss specifically asked
me to. I don't work on PAM because I think it's evil (I'm sort-of PAM
agnostic), but because we have a non-PAM solution working for every
system we care about that gets AFS tokens just fine, so I don't care
that much about it. Maybe if I had some free time I'd work on it ...
but I don't. So it's not like we're actively trying to make usability
worse ... it's just that the out-of-the-box experience right now isn't
great because no one has the time or energy to devote cycles to the big