Integration of k5start/krenew functionality

Ken Raeburn raeburn at MIT.EDU
Sat Aug 1 19:32:52 EDT 2009

On Aug 1, 2009, at 18:33, Ken Hornstein wrote:
> If my choices are to use Russ's commands (k5start and krenew) or use  
> some
> combination of pagsh/MIT programs that may know about aklog .... well,
> the choice is easy: I would use Russ's programs in a heartbeat.  It's
> just easier (I have enough time getting the levels of quoting right
> when using multiple levels of shell interpretation .... I can't  
> imagine
> what an unsophisticated user would do).

I'd be okay with providing plugins and/or scripts tailored for AFS  
support, that can do things like run setpag/pagsh and get the quoting  
right for you.  I don't think it should be quite so integral to our  
basic tools, nor should we have yet another configure-time option  
resulting in different flavors of packages to install.

> If the goal is to support AFS, then I think you should go whole- 
> hog.  If
> you're only going to support it half-assed ... well, what is the  
> point,
> exactly?  If there are other possible consumers of this functionality,
> then of course this makes sense.

My concern is that AFS isn't unique -- how many different Kerberos- 
based packages should we add specific code and configure-time options  
for?  How many programs need to do something interesting when Kerberos  
tickets are updated?

The PAG issue Russ brings up is important.  Maybe that does make AFS  
unique... or maybe it's just the only moderately successful such  
package so far in the Kerberos context.  (Linux keyring sessions?)   
I'm not familiar enough with usage of his tools to know if there's an  
alternative (exec pagsh telling it to exec our program but without the  
"create a PAG" option?).  So, yeah, maybe the AFS support does need to  
be in the same process.  Can we do it with a tiny plugin module that  
can either be installed or not depending on whether you need the AFS  
support, so we don't have to recompile the Kerberos code itself?  (Or  
even code we ship that tries a dlopen of the AFS library.)  Then if  
the command-line flag for a new PAG is given, and the support isn't  
installed, we just print an error.


More information about the krbdev mailing list