[OpenAFS] Re: Any budding documentation writers

Simon Wilkinson sxw@inf.ed.ac.uk
Wed, 3 Mar 2010 18:36:25 +0000

On 3 Mar 2010, at 18:28, Russ Allbery wrote:

> Simon Wilkinson <sxw@inf.ed.ac.uk> writes:
>> It might be, but I think documenting multiple ways of doing things is
>> likely to be confusing to a novice user. We should pick one mechanism
>> and stick to it, and aklog is probably the best one to choose. In
>> addition, klog.krb5 won't be applicable to rxgk, but aklog is.
> Why wouldn't klog.krb5 be applicable to rxgk, at least in the abstract
> (doing the work is another matter)?  It's just the combination of a  
> kinit
> and aklog without storing the credentials in the file system.  It  
> should
> be usable with any Kerberos-based authentication mechanism.

Because rxgk doesn't care what GSSAPI mechanism is being used to get  
the initial credentials. The tools that AFS provides assume that a set  
of credentials are available (from Kerberos, from GSI, from a local  
smart card ...), and simply does GSSAPI calls from then on.

Building specific Kerberos knowledge into rxgk is a non-goal - one of  
the primary aims of rxgk is to build an rx security layer which is  
mechanism independent.