[OpenAFS] Re: Authentication without aklog

Douglas E Engert deengert@gmail.com
Mon, 04 Aug 2014 14:27:55 -0500 

On 8/1/2014 7:50 PM, Andrew Deason wrote:
> On Fri, 1 Aug 2014 18:59:02 -0500
> Troy Benjegerdes <hozer@hozed.org> wrote:
>
>> Doesn't this provide some sort of key management?
>>
>> http://docs.oracle.com/cd/E23823_01/html/821-2730/gkwrk.html
>
> The Oracle Key Manager thing I thought was for x.509 certs, but I could
> be wrong. I've never seen krb5 stuff use anything besides the normal
> file-based ccaches on Solaris.
>
>> It appears to me that most OSes have gone quite a bit beyond what kinit
>> and aklog do, and we keep trying to use aklog to adapt square pegs to
>> round holes because that's what we did when there was no hole or api to
>> adapt to and we had to write it.
>
> The interface/API/framework/etc that you want to leverage is rpc.gssd
> (or gssd or whatever on various platforms). It is NFSv4-specific and not
> general purpose. To do what you are saying would be to ask rpc.gssd for
> credentials and use those; I do not think that's possible, but I haven't
> tried, and I would love to be wrong about that.
>
> If you are surprised or do not believe me that this is general purpose,
> well... besides us, nobody besides (some) NFSv4 has ever really had a
> need for accessing krb5 creds from the kernel (at least "historically").

Well DCE/DFS did, and they did it by by having a daemon, which I don't
remeber it name. similar to



> Userspace processes do this all the time and that's relatively easy, but
> the kernel is an entirely different matter. Even besides the matter of
> authentication, some platforms have a lot of assumptions that any
> non-local network filesystem is NFS.
>
> As mentioned, the Linux kernel keyring ccache type is an exception to
> this, and is generally what we want. But it's new and certainly not
> commonplace enough to just assume that's what everyone is using. Some
> day it may be that way, but that is not now. I am not aware of any other
> platform that has something analagous to that (I admit I am rather
> ignorant of how OS X's API: ccache works, or Windows' MSLSA: or whatever
> it is).
>

-- 

  Douglas E. Engert  <DEEngert@gmail.com>