[OpenAFS-port-darwin] aklog/afslog at console login and Mac OS 10.2

Tue, 17 Sep 2002 06:15:04 +0200

We have home directories in afs and therefore need to have
tokens set up at login time before the dock, finder and
friends start. For Mac OS < 10.2 we have used an NeXT style
loginwindow authenticator, but those hooks are ripped out
in 10.2.

We are now instead using the apple (mit) kerberos for
authentication, but it doesn't know anything about afs
tokens (sadly :-).

There are several places to plug in now, but none of
them seems really fit for this. In addition, the apis
are either explicitely private or seems to be in flux.

I have written a plugin to the kerberos ticket cache
that gets notified when there are certain changes to the
cache, I guess when the TGTs are installed or replaced
or something like that.

It seems to do the work, but is kind of ugly, in several
ways:
- Due to problems with the krbafs lib and the apple
kerberos I had to fall back to heimdal with a cache
handler that reads from apple's cache. The plugin
is now 1,5MB, statically linked to avoid soaking in
apple kerberos which it otherwise is very keen on.
- Due to how the processes are set up and what gets
run how and when and from where I have to use per uid
tokens instead of per process group tokens (we did that
before too but still not what one would like.)
- The only time I can get at the tickets the plugin is
runs as root with no information on what user this is
all about, so I have to the lift out the username from
the credentials caches' principal and setuid to that user
to install the tokens. I am not sure if this could be a
problem, securitywise or otherwise.

There are some other possibilities:
- Set up a real per-process-group pag from loginwindow
or something somehow, and use that to avoid setuiding
and do other ugly stuff. I am not sure how loginwindow
and WindowServer do their things, though, I think
loginwindow starts WindowServer when it needs to, but
they seem to live together in some symbiotic way, and
both have 1 as parent pid. Maybe a wrapped loginwindow
called from init (/etc/ttys) could set up a pag.
- Maybe one could write a authorization plugin that
does what we want, put those apis are private, at least
for now.
- Since darwin/Mac OS X actually has some kind of environment
that does more or less what the pretty ugly afs pag things
does, one maybe could use that instead. There is some
per-session mach port world, and I guess the SecurityServer
tries to do something similar but maybe more secure or
something. I am not very initiated in how any of those
systems really work. I am not sure it would help very
much either, more than perhaps to connect the user session
with the SecurityAgent which otherwise live in completely
different worlds (process trees).

Also, we currently don't have anything renewing renawable
tickets and getting new afs tokens every now and then. We
had a separate app for that in pre 10.2, it could problably
be ported pretty easily, but should maybe be thought over
again.

At loginhook time there is no ticket cache available
anywhere. That might change when apple continues to develop
the authorization things, and if so things could maybe,
just maybe be a little easier. We still need a way to renew
tokens, though.

How are everybody else doing console login time afslog-ing
with Mac OS X 10.2?

/ragge