Keytab-based initiator creds design

Henry B. Hotz hotz at
Wed Jun 13 02:14:08 EDT 2012

In case you couldn't tell, I happen to think that AFS got it about 95% right with PAGs.  I'm really annoyed that over the decades everyone keeps wanting to improve on that wheel by adding corners and bells and such that hurt the usefulness more than they help.  (That's when they aren't busy trying to simplify wheels into stilts.)  PAGs solve problems, like giving the right credentials to set-uid-root programs, that other systems don't even realize *should*be* problems.

In fact the only place where I know I want something more than a PAG is inside a complex app.  I'd like (optionally) to have a different "PAG" for each web page that my browser knows about, for instance.

Actual usage is nowhere near as random as a random selector would imply.  That interface only works for me as an ordinary user if you wrap some kind of push/pop interface on top of it.  I shouldn't have to keep track of ccache names, or specifically choose them;  that's the system's job.

Anyone who's spent a few months with AFS on a platform that properly implements PAGs you should have some idea what I mean.  Complaints aside, I really am perplexed by why people always want to implement something completely different.

On Jun 12, 2012, at 2:14 PM, Nico Williams wrote:

> On Tue, Jun 12, 2012 at 3:49 PM, Henry B. Hotz <hotz at> wrote:
>> If the UI for changing default cc's were as good as the UI for PAGs I'd have more sympathy for that viewpoint.  I want a "give me a new default cc, I don't care what you call it" operation.  I want a "pop" operation that destroys the current default cc and restores the previous one.
>> And I want multiple ssh logins to always have different cc's.  I'm perplexed as to why this use case seems to be considered as an edge case instead of the primary use case.
> What I'm saying is that I want something more than PAGs, and something
> less also.  I want two things:
> - better identity selection interfaces (krb5_cc_select() is a good
> step forward)
> - sessions (PAGs and PAG-like) with some isolation semantics

A PAG is a awful lot like a session.  It's just really easy and natural to create (and destroy) new ones whenever you want.  Isolation would be good, too (if only the OSs would cooperate and provide the capability).

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list