On Fri, 1 Aug 2014 18:59:02 -0500 Troy Benjegerdes <ho...@hozed.org> wrote:
> Doesn't this provide some sort of key management? > > http://docs.oracle.com/cd/E23823_01/html/821-2730/gkwrk.html The Oracle Key Manager thing I thought was for x.509 certs, but I could be wrong. I've never seen krb5 stuff use anything besides the normal file-based ccaches on Solaris. > It appears to me that most OSes have gone quite a bit beyond what kinit > and aklog do, and we keep trying to use aklog to adapt square pegs to > round holes because that's what we did when there was no hole or api to > adapt to and we had to write it. The interface/API/framework/etc that you want to leverage is rpc.gssd (or gssd or whatever on various platforms). It is NFSv4-specific and not general purpose. To do what you are saying would be to ask rpc.gssd for credentials and use those; I do not think that's possible, but I haven't tried, and I would love to be wrong about that. If you are surprised or do not believe me that this is general purpose, well... besides us, nobody besides (some) NFSv4 has ever really had a need for accessing krb5 creds from the kernel (at least "historically"). Userspace processes do this all the time and that's relatively easy, but the kernel is an entirely different matter. Even besides the matter of authentication, some platforms have a lot of assumptions that any non-local network filesystem is NFS. As mentioned, the Linux kernel keyring ccache type is an exception to this, and is generally what we want. But it's new and certainly not commonplace enough to just assume that's what everyone is using. Some day it may be that way, but that is not now. I am not aware of any other platform that has something analagous to that (I admit I am rather ignorant of how OS X's API: ccache works, or Windows' MSLSA: or whatever it is). -- Andrew Deason adea...@sinenomine.net _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
