Integration of k5start/krenew functionality
raeburn at MIT.EDU
Sat Aug 1 19:32:52 EDT 2009
On Aug 1, 2009, at 18:33, Ken Hornstein wrote:
> If my choices are to use Russ's commands (k5start and krenew) or use
> combination of pagsh/MIT programs that may know about aklog .... well,
> the choice is easy: I would use Russ's programs in a heartbeat. It's
> just easier (I have enough time getting the levels of quoting right
> when using multiple levels of shell interpretation .... I can't
> what an unsophisticated user would do).
I'd be okay with providing plugins and/or scripts tailored for AFS
support, that can do things like run setpag/pagsh and get the quoting
right for you. I don't think it should be quite so integral to our
basic tools, nor should we have yet another configure-time option
resulting in different flavors of packages to install.
> If the goal is to support AFS, then I think you should go whole-
> hog. If
> you're only going to support it half-assed ... well, what is the
> exactly? If there are other possible consumers of this functionality,
> then of course this makes sense.
My concern is that AFS isn't unique -- how many different Kerberos-
based packages should we add specific code and configure-time options
for? How many programs need to do something interesting when Kerberos
tickets are updated?
The PAG issue Russ brings up is important. Maybe that does make AFS
unique... or maybe it's just the only moderately successful such
package so far in the Kerberos context. (Linux keyring sessions?)
I'm not familiar enough with usage of his tools to know if there's an
alternative (exec pagsh telling it to exec our program but without the
"create a PAG" option?). So, yeah, maybe the AFS support does need to
be in the same process. Can we do it with a tiny plugin module that
can either be installed or not depending on whether you need the AFS
support, so we don't have to recompile the Kerberos code itself? (Or
even code we ship that tries a dlopen of the AFS library.) Then if
the command-line flag for a new PAG is given, and the support isn't
installed, we just print an error.
More information about the krbdev