[AFS3-std] Re: tokens for bosserver

Andrew Deason adeason@sinenomine.net
Thu, 14 Feb 2013 17:10:28 -0600


On Thu, 14 Feb 2013 23:00:24 +0000
Simon Wilkinson <simon@sxw.org.uk> wrote:

> Implementing this would be tricky. You'd have to require that both
> keys were present in the same keytab, and then have
> gss_accept_sec_context accept any credential, and then export the
> accepted name and check that it matched either of the keys that you
> were prepared to accept. Doing that in a way that is mechanism
> independent isn't possible with stock GSSAPI (we hit this problem with
> OpenSSH). Doing it in a mechanism specific fashion requires all sorts
> of nastiness around gss_export_name.

The above seems to imply that the server needs to be able to accept
either one all the time, if I'm reading that correctly. That's not what
I mean. My thinking was that servers with the cell-wide key would just
use afs-rxgk@_afs.cell, and servers that don't have the cell-wide key
would use afs3-bos@host. The client would try with afs3-bos@host, but if
that doesn't exist (or the connection negotiation fails), we would retry
assuming that we can use afs-rxgk@_afs.cell. That's a problem?

-- 
Andrew Deason
adeason@sinenomine.net