>http://developer.apple.com/documentation/Security/Conceptual/ >Security_Overview/Security_Services/chapter_4_section_6.html > >Presumably, it would be straightforward for AFS and Kerberos to use >Keychain Services and provide their own CLI interface, no? Or are >you concerned about something completely different?
I can't speak for lxs, but here's my take after reading the documentation you referenced. The focus of the Keychain seems to be on storing "long term" secrets; in other words, passwords. I know it can store other things, but the majority of the documentation and examples talk about that. The problem is that AFS tokens are "short lived" secrets; you get a new one every time you re-authenticate to Kerberos. Maybe you could fit it in there, but it's not obvious to me how you would do it. I think to really make it work you'd need to extend how Keychain works. Shifting gears a bit ... as long as we're talking about OpenAFS, MacOS X, and the AFS token, it would be useful if we could reference AFS tokens by the MacOS Security Session (the one that's created by SessionCreate()), rather than by userid as we do now. I guess all we would really need from the MacOS side is a way inside of the kernel to know what session a particular process belongs to. This would let us do PAGs the "right" way on MacOS X. --Ken _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
