[OpenAFS] Redux: Linux: systemctl --user vs. AFS

spacefrogg-openafs@spacefrogg.net spacefrogg-openafs@spacefrogg.net
Thu, 5 Aug 2021 11:58:32 +0000 (UTC)


While this thread is live again, let me contribute my own findings on this.=
 Our network runs mainly NixOS machines.

For us, using sssd for Kerberos ticket management turned out to be a huge b=
enefit, mainly for its centralized ticket refresh functionality. We hold us=
ers' tickets in well-known files. Using sssd lifts the necessity to have th=
e directory holding ticket caches user-writable. So, well-known cache files=
 is not a security concern anymore.

We use systemd, as well. We have set up the systemd-user@.service in a way,=
 that it acquires an AFS token before starting. Thus, all dependent user se=
rvices have AFS access. This is what we need well-known ticket cache files =
for. PAM has already run at the time, so the cache is hot.

Lingering does obviously not work with this setup.

We use nopag tokens, as we don't believe in its added security promises. In=
 parallel, we allow ticket forwarding for remote logins, mainly for the ben=
efit of single sign-on. So, this circumvents most promises, PAGs would give=
 us anyway.

nopag also allows us to post-acquire AFS token for systemd services of a ru=
nning session, which is important for road-warrior (does one still use this=
 term?) setups.

PAGs are a big usability bonus, though, when using pagsh to temporarily acq=
uire an administrative shell.

Hope this helps!

=E2=80=93Michael