[OpenAFS] Authentication without aklog

chas williams - CONTRACTOR chas@cmf.nrl.navy.mil
Fri, 1 Aug 2014 07:02:34 -0400


On Thu, 31 Jul 2014 15:29:47 -0500
Andrew Deason <adeason@sinenomine.net> wrote:

> The first time I heard this I was a bit surprised, but that may be just
> because I'm very used to the 'aklog' approach and find it intuitive. You
> need to tell the kernel what credentials you want it to use for AFS
> access; makes sense to me.

Usually, aklog is handled transparently here, either via MIT's krb5
login (et al) client calling out to aklog or via pam_krb5. 

> The alternative is to effectively "guess" what credentials we should be
> using, which is what NFSv4 does (rpc.gssd). That is, all you need to do
> to authenticate is to run a plain 'kinit' or equivalent (with no
> knowledge of AFS/NFS), and the kernel tries to find the ccache you used
> and turn it into a token itself. This approach has a noticeable number
> of cases where it does the wrong thing, and so you hear complaints about
> it from time to time. But when it works correctly, it's invisible, so I
> expect the only time you hear about it (from users) are the complaints.

Not impossible for Linux.  I believe that the Linux keyring code
allows for down calls from the kernel to user space in order to ask
something to insert the appropriate keys (see keys-request-key.txt in
the Linux kernel).  As I vaguely recall, this is partly how Linux's
rpc.gssd works (except the request key rummages around in a special
directory looking for Kerberos tickets).

Naturally, if OpenAFS sees that your token is expired, it could
call out again (hoping that it would get renewed).  Unfortunately, this
behavior would be somewhat counter to current behavior.  For instance,
if I issue unlog I want to stay unlogged, I don't want something to
automatically reauthenticate for me.