Integration of k5start/krenew functionality
Douglas E. Engert
deengert at anl.gov
Wed Aug 5 09:53:45 EDT 2009
Jeffrey Hutzelman wrote:
> --On Tuesday, August 04, 2009 01:04:13 PM -0400 Sam Hartman
> <hartmans at mit.edu> wrote:
>
>> 5) Plugins are good. AFS, Linux keyring management (establisg a session
>> keyring), etc all could use plugins. Depending on things like pagsh is
>> administrator-hostile.
>
> What do you think of the argument that "complex" credential management,
> such as automatically maintaining AFS credentials and setting up a new PAG,
> keyring, SSH agent, etc. should be left entirely to external tools such as
> kstart and not distributed with Kerberos at all?
>
> Do we want a situation where, for example, Kerberos and AFS are aware of
> each other, and if you install both you get something more than the sum of
> the pieces? Or is the problem better solved by a separate tool which is
> based on public interfaces exported by both?
Other examples of credentials could be included in this mix, including
Kx509 and NFSv4 use of tickets in the kernel.
Many of the issues have been addressed in login and screen unlock,
when credentials are renewed, and pam modules handle obtaining
additional credentials. Could pam be used from kinit much like screen unlock?
>
> -- Jeff
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list