[OpenAFS] Re: Authentication without aklog

Andrew Deason adeason@sinenomine.net
Mon, 4 Aug 2014 21:35:27 -0500

On Mon, 04 Aug 2014 15:21:36 -0500
Douglas E Engert <deengert@gmail.com> wrote:

> User's have to "login" to other "network file systems" like DropBox,
> Box, or other Cloud systems. The issue of having to login twice, is a
> trust issue.  Users live with it every day, on the Web.

Users of all other kerberized services do not need to "login" to every
service they use. If everything is configured properly to use kerberos,
I don't need to separately login to the ldap server, to ssh, to
kerberized nfs, or even to a website using spnego. I just use the
relevant service after I have acquired kerberos tickets. Of course, most
of those are userspace programs where this is much easier, but I see no
reason for the user experience to be different for a non-userspace
application if there are no technical obstacles making it impossible.
(And imo, NFS has shown it's not impossible.)

I can only imagine if I wanted to use 5 different kerberized services on
the same box, and they all worked like AFS. Running aklog, nfsklog,
sshklog, ldapklog, httpklog... it would be a nightmare. aklog has the
ability to authenticate to multiple cells (which would help for dfs, and
could probably help for nfs if it needed it, etc) but it would have to
have knowledge of every single system to be convenient.

Andrew Deason