[OpenAFS] Re: Authentication without aklog

Chas Williams (CONTRACTOR) chas@cmf.nrl.navy.mil
Fri, 01 Aug 2014 11:32:05 -0400


In message <20140801094039.7390ad15eb9269df241fb198@sinenomine.net>,Andrew=
 Deason writes:
>This isn't "transparent" for the administrator, though. You had to
>install an afs-specific pam module, or specify that something runs
>aklog; something like that. (And of course, that's only for things that
>run through PAM.)

Administrators are going to have a hard life no matter what happens.

Having a simple PAM module installed by OpenAFS that runs aklog would fix
a few complaints (but of course do nothing to fix PAGs).  PAM continues to
grow in popularity, even modern versions of MacOS use it.  The problem
with PAM is that system configuration tools tend to write over any
changes an adminstrator might make.

>> > The alternative is to effectively "guess" what credentials we should
>> > be using, which is what NFSv4 does (rpc.gssd).[...]
>> =

>> Not impossible for Linux.  I believe that the Linux keyring code
>> allows for down calls from the kernel to user space in order to ask
>> something to insert the appropriate keys (see keys-request-key.txt in
>> the Linux kernel).
>
>We can do a userspace upcall on any platform; that's not the hard part...

Yes, but it's mostly useless since it doesn't preserve any existing
security context.  Unless your kinit puts the tickets in a well known
(and easily read) location, which somewhat defeats the purpose of
strong authentication, an up call to afsd is mostly useless.