On Fri, Aug 01, 2014 at 03:15:26PM +0100, David Howells wrote: > chas williams - CONTRACTOR <[email protected]> wrote: > > > Not impossible for Linux. I believe that the Linux keyring code > > allows for down calls from the kernel to user space in order to ask > > something to insert the appropriate keys (see keys-request-key.txt in > > the Linux kernel). > > Yes. request_key() will call out to userspace to instantiate a key it doesn't > have yet, passing the caller's keyrings over so that the TGT can be retrieved. >
I think the linux Keyring approach got it right with respect to giving the right user experience that is secure and maintainable. The problem with AFS seems to be everyone who knows you need to 'kinit ; aklog' and it's been so long we have all forgotten the experience of what it was like before we realized this. So why don't we use the kernel keyring on Linux, and the built-in OS support on both MacOS and Windows for Kerberos to grab the key that matches the default realm? If you have weird situations, or where administrators feel they must stick with 'legacy' behavior, then make a 'disable_request_key()' option to the cache manager. -- ---------------------------------------------------------------------------- Troy Benjegerdes 'da hozer' [email protected] 7 elements earth::water::air::fire::mind::spirit::soul grid.coop Never pick a fight with someone who buys ink by the barrel, nor try buy a hacker who makes money by the megahash _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
