[OpenAFS] Authentication without aklog

Troy Benjegerdes hozer@hozed.org
Fri, 1 Aug 2014 17:35:15 -0500


On Fri, Aug 01, 2014 at 03:15:26PM +0100, David Howells wrote:
> chas williams - CONTRACTOR <chas@cmf.nrl.navy.mil> wrote:
> 
> > Not impossible for Linux.  I believe that the Linux keyring code
> > allows for down calls from the kernel to user space in order to ask
> > something to insert the appropriate keys (see keys-request-key.txt in
> > the Linux kernel).
> 
> Yes.  request_key() will call out to userspace to instantiate a key it doesn't
> have yet, passing the caller's keyrings over so that the TGT can be retrieved.
> 

I think the linux Keyring approach got it right with respect to giving the 
right user experience that is secure and maintainable.

The problem with AFS seems to be everyone who knows you need to 'kinit ; aklog'
and it's been so long we have all forgotten the experience of what it was like
before we realized this.

So why don't we use the kernel keyring on Linux, and the built-in OS support
on both MacOS and Windows for Kerberos to grab the key that matches the 
default realm? If you have weird situations, or where administrators feel 
they must stick with 'legacy' behavior, then make a 'disable_request_key()'
option to the cache manager.

-- 
----------------------------------------------------------------------------
Troy Benjegerdes                 'da hozer'                  hozer@hozed.org
7 elements      earth::water::air::fire::mind::spirit::soul        grid.coop

      Never pick a fight with someone who buys ink by the barrel,
         nor try buy a hacker who makes money by the megahash