[OpenAFS] kaserver deperecation, OpenAFS future, etc...

Russ Allbery rra@stanford.edu
Sun, 22 Oct 2006 23:36:00 -0700 

Jeff Blaine <jblaine@mitre.org> writes:

> I value kaserver because it currently works.  Out of the box.
> Day in, day out.  Without fail and without dependencies.

Having run both MIT KDCs and kaserver for, hm, something like 10 years
now, I've had kaserver fail a *lot* more than an MIT Kerberos v5 KDC.
Something on the order of 20-30 times instead of... hm... never.

Kerberos KDCs are just not that complicated and really shouldn't ever
break.  kaserver is actually the least reliable KDC I have ever run,
despite how reliable it is.

> I value kaserver because I use pam_afs.so extensively and it
> authenticates and token-grants out of the box.

I gotta tell you, from a PAM perspective, pam_afs.so is *nasty*.  It
simply doesn't do things correctly, and it does a lot of things that will
really hurt you in some situations (such as using PAM inside an
application where forks end up being expensive).  It does session stuff in
the authentication hooks, it links PAGs with authentication, it forks and
authenticates in a child process and relies on the "change group of
parent" hack, and it does other things that you really don't want.

The problem is that we don't have a *good*, general, easy-to-build AFS PAM
module that cooperates with a K5 realm.  We're going to fix that.

> If my users can login to Solaris 9, Solaris 10, RHELv3 and RHELv4 boxes
> (Intel and AMD64) and have a shell or X/GNOME/KDE environment with
> tokens sitting there, renewed at screen-unlock, I'm fine with that.

This shouldn't be hard to do; we're almost there now.  I have to make
exactly this work for Stanford anyway (with the exception of Solaris 10,
which shouldn't add much more to the picture), so it will happen.

> If you'd like, I can go through the whole process again in our testbed
> and point out everything that needs clear work or doesn't work at all.

Once I have an AFS PAM module that I'm happy with and can point you at the
detailed documentation from Debian on how to set up a K5 AFS cell, I would
like to see the results of that test.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>