[OpenAFS] Re: Authentication without aklog

Andrew Deason adeason@sinenomine.net
Fri, 1 Aug 2014 09:40:39 -0500


On Fri, 1 Aug 2014 07:02:34 -0400
chas williams - CONTRACTOR <chas@cmf.nrl.navy.mil> wrote:

> On Thu, 31 Jul 2014 15:29:47 -0500
> Andrew Deason <adeason@sinenomine.net> wrote:
> 
> > The first time I heard this I was a bit surprised, but that may be just
> > because I'm very used to the 'aklog' approach and find it intuitive. You
> > need to tell the kernel what credentials you want it to use for AFS
> > access; makes sense to me.
> 
> Usually, aklog is handled transparently here, either via MIT's krb5
> login (et al) client calling out to aklog or via pam_krb5. 

This isn't "transparent" for the administrator, though. You had to
install an afs-specific pam module, or specify that something runs
aklog; something like that. (And of course, that's only for things that
run through PAM.)

> > The alternative is to effectively "guess" what credentials we should
> > be using, which is what NFSv4 does (rpc.gssd).[...]
> 
> Not impossible for Linux.  I believe that the Linux keyring code
> allows for down calls from the kernel to user space in order to ask
> something to insert the appropriate keys (see keys-request-key.txt in
> the Linux kernel).

We can do a userspace upcall on any platform; that's not the hard part...

-- 
Andrew Deason
adeason@sinenomine.net