[OpenAFS] AFS rsh token passing

Douglas E. Engert deengert@anl.gov
Tue, 31 Oct 2006 09:25:56 -0600

Rich Sudlow wrote:

> What's the best replacement for the old AFS rsh and
> Transarc inetd which does token passing?
> I'm using this in a Linux cluster environment so speed is
> fairly important - and I'd prefer something as easy to
> setup as the old rsh.

If this is a cluster, and speed is the issue, you could consider
either shared K5 ticket caches across a shared cluster file system.
Then you pre-stage a K5 ticket. aklog on each node then finds
the ticket, and sets it as a token. So there is no extra ticket
passing or extra calls to the KDCs.

This requires address-less tickets, or a ticket with
all the cluster address in the one ticket, and subject to
security considerations of the shared file system and network
within the cluster.

This goes along with what is a cluster, and what is a "session"
on your cluster. Can the "session" be consider to include
multiple traditional sessions each started by a different rshd
for the same user? You could do this with or without PAGs. Without
a PAG the aklog only needs to be called once on each node, and
any rsh could be used between the cluster nodes.

(We did something like this with DCE many years ago where
a process could join a PAG, thus avoiding all the extra overhead
of getting a lot of tickets for each new rshd session.)

Just some other ways to look at a cluster...

> Thanks
> Rich


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444