[AFS3-std] Re: rxgk-afs tokens for ptservers, etc.

[Jeffrey Hutzelman]

On Thu, 2013-02-14 at 15:02 +0000, Simon Wilkinson wrote:
> That's a Kerberos principal, we've been talking in terms of GSS
> identities (which use @ instead of / as a component separator)

Well, no.  GSS-API host-based names use '@' to separate a service name
from a hostname.  That's the syntax of a particular name type, not a
general GSS-API component separator.  If we decide we don't want to tie
fileservers to a particular hostname, then we need to give them some
other form of identity.

Possibly, the right thing to is for AFS to include an interface by which
a fileserver first registers itself and establishes a shared key with
the VLDB.  A new fileserver that does not already have a key would call
this interface to exchange keys with the vlserver, after which the
newly-generated key would be associated with the new fileserver's UUID
(which is also newly-generated and must not already be in the VLDB).


The difficulty lies in authenticating this exchange.  There's really no
reason why we have to limit who can register as a fileserver (though for
operational reasons, some sites might want to).  However, a fileserver
calling the key-establishment interface needs to be able to trust the
identity of the vlserver.  In practice, I think that means the new
fileserver (or some register-fs program) will use a Kerberos host key or
an administrator's credentials to authenticate the establish-key RPC,
mostly for mutual-auth.

-- Jeff