[OpenAFS] Separating AFS tokens generation from Authentication

Douglas E. Engert deengert@anl.gov
Mon, 15 Oct 2001 14:29:51 -0500


"Neulinger, Nathan" wrote:
> 
> Interesting... will take a look, does sounds promising particular for
> integration with NT...

Did you get back to this?


> 
> Yucky tar file though that extracts into src/*... But that's just cosmetic.
> :)
> 
> -- Nathan
> 
> > -----Original Message-----
> > From: Douglas E. Engert [mailto:deengert@anl.gov]
> > Sent: Wednesday, October 10, 2001 10:19 AM
> > To: OpenAFS-info@openafs.org
> > Cc: security@gobus.org
> > Subject: [OpenAFS] Separating AFS tokens generation from
> > Authentication
> >
> >
> > AFS authentication and authorization have been based on Kerberos V4.
> > When used with Kerberos V5,either the KDC must issue a K4 ticket,
> > or a krb524d is required to convert V5 tickets to V4 tickets so they
> > can be used for AFS tokens.
> >
> > We would like to separate the method used for authentication from the
> > generation/use of the AFS tokens.
> >
> > As part of the Globus Project(tm), http://www.globus.org we
> > working on an
> > alternate solution, which allows other authentication methods
> > to be used to
> > obtain AFS tokens.
> >
> > This is accomplished by using GSSAPI from the client,
> > gsiklog, to authenticate
> > to a daemon, gsiklogd, running on one or more of the AFS
> > database server
> > machines. A request is then sent protected by the GSS to the
> > daemon, who
> > returns an AFS token, also protected by the GSS. The daemon
> > used the gss_inquire
> > functions to get the client's identity, and lifetime, and
> > used these to construct
> > an AFS token, using a simple mapping database which maps GSS
> > identities to AFS users.
> >
> > Since the token is sent using the GSS wrap/unwrap, it is not
> > encrypted is
> > a Kerberos tgt session key. This completely separates the
> > authentication from
> > the token generation, and in our case the GSSAPI is based on SSL.
> >
> > The gsiklog is a modified klog based on OpenAFS, and the
> > gsiklogd is a modified
> > gss demo program which calls routines based on OpenAFS to
> > generate tokens. You
> > will need the Transarc or OpenAFS libs and includes and a
> > GSSAPI implementation.
> >
> > The gsiklog and gsiklog could also be used with the Kerberos
> > GSSAPI. Doing this
> > means you don't need a KDC which understands V4, or a
> > krb524d.  It also means that
> > one could use stronger keys for authentication with Kerberos
> > V5, yet still
> > use the DES keys with the tokens, or even update the keys in
> > the tokens, separate
> > from the authentication. It also means that future tokens are
> > not required to be
> > based on V4 or V5 tickets, but could use some other format.
> >
> > If anyone is interested a beta version of this is available at:
> > ftp://achilles.ctd.anl.gov/pub/DEE/gsiklog-0.9.tar
> >
> > Comments?
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> >
> >  Douglas E. Engert  <DEEngert@anl.gov>
> >  Argonne National Laboratory
> >  9700 South Cass Avenue
> >  Argonne, Illinois  60439
> >  (630) 252-5444
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> >

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444