[OpenAFS] Re: Authentication without aklog

Andrew Deason adeason@sinenomine.net
Thu, 31 Jul 2014 17:18:49 -0500


On Thu, 31 Jul 2014 20:41:08 +0000
Brandon Allbery <ballbery@sinenomine.net> wrote:

> I think this also kills off PAGs pretty effectively, unless the
> equivalent of rpc.gssd has some privileged access to all PAGs and a
> way to map a given access to its PAG.

This certainly would have information about PAGs, since it goes through
the kernel module.

But anyways, I think the idea that this makes PAGs useless is only
really at all true for the first option I mentioned (global
rpc.gssd-like behavior). And even then, pags still seem like they can be
used to a limited degree, but maybe not as usefully. As in, the
rpc.gssd-like behavior can be a fallback, but you can still explicitly
set tokens; so different pags could still have different credentials in
them. 

And like you mentioned, some people don't care about PAGs, so even if
this makes PAGs useless, that's not necessarily a problem.

-- 
Andrew Deason
adeason@sinenomine.net