>I spent weeks poking around at it several months ago. We >*were* well on our way toward a KDC-auth setup in our little >corner. I wouldn't *strongly* recommend it to anyone who >expects users to get tokens automatically when they login. >But usability is of no real concern to security guys.
I don't think that's quite fair. We've been getting AFS tokens at login time automatically for ... I guess it's more than 8 years now (I'm talking about Kerberos 5 + aklog). I consider myself a security guy, and usability is definately one of my concerns ... we have to balance it against security, of course, but getting AFS tokens at login time is really a no-brainer. You make it seem like we're all conspiring in some dark basement against you: "Hahaha, by silently deprecating kaserver, we're REALLY going to stick it to Mitre this time!". The reality is more complex. It's been possible to use your Kerberos 5 KDC with AFS (even IBM AFS) for a long time. I gave a presentation about my work on this back at the 1998 (or was it 1997?) Decorum ... and I wasn't the first. Okay, using a V5 KDC with AFS was on the fringe back then; you had to collect tools from a few different places together to make it all work. It's been more and more common recently; now nearly all of the tools you need to do it are included with OpenAFS, and people have some not-bad writeups in the Wiki explaining what you need to do. Unfortunately, like many open-source projects, the documentation and integration pieces aren't the best. It's all a matter of resources; once you spend time figuring something out, you don't have much time to write it down for other people. I personally don't think the documentation in the migration kit is so bad (I'm biased, because I wrote it), but that only got written because my boss specifically asked me to. I don't work on PAM because I think it's evil (I'm sort-of PAM agnostic), but because we have a non-PAM solution working for every system we care about that gets AFS tokens just fine, so I don't care that much about it. Maybe if I had some free time I'd work on it ... but I don't. So it's not like we're actively trying to make usability worse ... it's just that the out-of-the-box experience right now isn't great because no one has the time or energy to devote cycles to the big picture. --Ken _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
