Re: [OpenAFS] Re: Authentication without aklog

Mon, 04 Aug 2014 12:40:24 -0700 

[ Hit the wrong button, let me finish my reply below...]

On 8/1/2014 7:50 PM, Andrew Deason wrote:

On Fri, 1 Aug 2014 18:59:02 -0500
Troy Benjegerdes <ho...@hozed.org> wrote:


Doesn't this provide some sort of key management?

http://docs.oracle.com/cd/E23823_01/html/821-2730/gkwrk.html


The Oracle Key Manager thing I thought was for x.509 certs, but I could
be wrong. I've never seen krb5 stuff use anything besides the normal
file-based ccaches on Solaris.


It appears to me that most OSes have gone quite a bit beyond what kinit
and aklog do, and we keep trying to use aklog to adapt square pegs to
round holes because that's what we did when there was no hole or api to
adapt to and we had to write it.


The interface/API/framework/etc that you want to leverage is rpc.gssd
(or gssd or whatever on various platforms). It is NFSv4-specific and not
general purpose. To do what you are saying would be to ask rpc.gssd for
credentials and use those; I do not think that's possible, but I haven't
tried, and I would love to be wrong about that.

If you are surprised or do not believe me that this is general purpose,
well... besides us, nobody besides (some) NFSv4 has ever really had a
need for accessing krb5 creds from the kernel (at least "historically").


Well DCE/DFS did, and they did it by by having a daemon, which I don't
remember it name. I believe that is where the NFS gssd got the idea.
DCE inforced a KRB5CCNAME of the ticket cache, in some thing like
/var/dce/creds/<cachename> where the <cachename> contained the PAG
number. On AIX at least, DCE/DFS and AFS used the same PAG.




Userspace processes do this all the time and that's relatively easy, but
the kernel is an entirely different matter. Even besides the matter of
authentication, some platforms have a lot of assumptions that any
non-local network filesystem is NFS.

As mentioned, the Linux kernel keyring ccache type is an exception to
this, and is generally what we want. But it's new and certainly not
commonplace enough to just assume that's what everyone is using. Some
day it may be that way, but that is not now. I am not aware of any other
platform that has something analagous to that (I admit I am rather
ignorant of how OS X's API: ccache works, or Windows' MSLSA: or whatever
it is).



--

 Douglas E. Engert  <deeng...@gmail.com>

_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to