[AFS3-std] tokens for bosserver

[Simon Wilkinson]

On 14 Feb 2013, at 22:43, Benjamin Kaduk wrote:

> On Thu, 14 Feb 2013, Andrew Deason wrote:

>> Can't we have it use either afs3-bos@host or afs-rxgk@_afs.cell? It
>> seems unnecessary to require the generation of a new identity for =
each
>> bosserver, if they're all allowed to have the cell-wide key, unless =
I'm
>> missing something.
>=20
> That seems like an implementation decision which need not be =
standardized, but yes, we could.

Implementing this would be tricky. You'd have to require that both keys =
were present in the same keytab, and then have gss_accept_sec_context =
accept any credential, and then export the accepted name and check that =
it matched either of the keys that you were prepared to accept. Doing =
that in a way that is mechanism independent isn't possible with stock =
GSSAPI (we hit this problem with OpenSSH). Doing it in a mechanism =
specific fashion requires all sorts of nastiness around gss_export_name.

>  Simon doesn't like the idea, though.

The idea I was previously not keen on is allowing either a bos-specific =
rxgk token, or a cell-wide rxgk token to be used in connections to the =
bosserver, as it opens up all sorts of complications when you're trying =
to decrypt it. I think I'm even less keen on this idea, though :)

Cheers,

Simon.