[OpenAFS] Authentication without aklog

Troy Benjegerdes hozer@hozed.org
Fri, 1 Aug 2014 18:59:02 -0500


On Fri, Aug 01, 2014 at 10:44:29PM +0000, Brandon Allbery wrote:
> On Fri, 2014-08-01 at 17:35 -0500, Troy Benjegerdes wrote:
> > So why don't we use the kernel keyring on Linux, and the built-in OS support
> > on both MacOS and Windows for Kerberos to grab the key that matches the 
> > default realm? If you have weird situations, or where administrators feel 
> > they must stick with 'legacy' behavior, then make a 'disable_request_key()'
> > option to the cache manager.
> 
> Because, while they're no doubt the most common OSes in your privileged
> experience, they are not necessarily the most common OSes that are used
> with AFS. In particular, I support a decent number of customers that use
> Solaris heavily; where is your "oh just use the OS keyring abstraction"
> there? Or should they dump AFS because they are not on the OSes that you
> know from your privileged view are the only ones that matter?
> 

Doesn't this provide some sort of key management?

http://docs.oracle.com/cd/E23823_01/html/821-2730/gkwrk.html

I am trying to argue that we should use the OS-vendor provided and 
security audited cryptographic frameworks if at all possible, instead of 
continuing to carry forward the old code that was written before any OS
actually *had* a crypto framework.

It appears to me that most OSes have gone quite a bit beyond what kinit
and aklog do, and we keep trying to use aklog to adapt square pegs to 
round holes because that's what we did when there was no hole or api to
adapt to and we had to write it.

-- 
----------------------------------------------------------------------------
Troy Benjegerdes                 'da hozer'                  hozer@hozed.org
7 elements      earth::water::air::fire::mind::spirit::soul        grid.coop

      Never pick a fight with someone who buys ink by the barrel,
         nor try buy a hacker who makes money by the megahash