[OpenAFS] Re: Authentication without aklog

Andrew Deason adeason@sinenomine.net
Fri, 1 Aug 2014 19:29:20 -0500


On Fri, 01 Aug 2014 16:08:29 -0700
Russ Allbery <eagle@eyrie.org> wrote:

> To take a step back, one difficulty I've been having with this whole
> thread is how you get PAGs if you don't require some sort of PAM-like
> thing to run during user login.

The primary benefits of what I've been talking about are for situations
without PAGs. The people that were bugging me the most about this either
cannot use PAGs (because they cannot 'hook' the session creation), or
don't care about them (single-end-user machine; manual krb5 cred
acquisition).

While PAGs are useful or even essential in some scenarios, at least for
newcomers to AFS the reaction to PAGs (and 'aklog') more often tends to
be "wtf is this" rather than "oh boy this is so great this is why I'm
using AFS". For a lot of scenarios, UID-based access is fine, and tends
to be more intuitive, since that's how everything besides AFS tends to
work...

There are some situations with PAGs where I think the behavior in this
thread would still be useful, though they are not the motivation for
this thread. I can go into this a little more as a curiosity if someone
wants, but I'd rather make this discussion a bit simpler by just leaving
it out for now.

-- 
Andrew Deason
adeason@sinenomine.net