[AFS3-std] rxgk/rxgk-afs updates

Benjamin Kaduk kaduk@MIT.EDU
Mon, 4 Mar 2013 18:49:23 -0500 (EST) 

I pushed a few more changes to 
https://github.com/kaduk/openafs/commits/prot (log below).

In particular,
6204312 Prescribe leap of faith for RegisterAddrsAndKey
is a pretty substantive change, though we have talked about related issues 
a fair amount on this list.  The idea is that (for departmental 
fileservers) the vldb must have a binding between fileserver UUID and some 
GSS identity, to authenticate VL_RegisterAddrs and friends.  A GSS 
identity is needed because we want these RPCs to run over rxgk 
connections, which requires a token, and it's easiest to use the GSS 
negotiation service.  We don't have to care what identity that is, and can 
use "leap of faith" to create a binding for future use (or use 
administrator intervention).  However, to prevent denial of service, we 
cannot use VL_RegisterAddrsAndKey to upgrade an existing fileserver uuid 
using whatever GSS credentials are presented.  (A superuser could still do 
so, though, and a fileserver with the cell-wide key can print tokens which 
are implicitly superuser tokens.)  Hopefully the added text accurately 
conveys these ideas.

There are also a couple of changes to make clear split between 
database+fileservers, which have special treatment for tokens, and other 
AFS services using rxgk, which operate as more standard rxgk services.  We 
also suggest the afs3-bos@hostname type principal name.

Comments/review welcome.

-Ben


commit 63b2ace02681ec56b1cf5b42ad8a0f63256663bc
Author: Ben Kaduk <kaduk@mit.edu>
Date:   Mon Mar 4 18:35:57 2013 -0500

     Inline VL_RegisterAddrs elements

     Do not attempt to incorporate by reference a reference which does
     not exist.

     Change-Id: I41d725a7ef27525be2002919d04980a45d89c289

commit 620431272eb1365f3eb9fd3dcf89cd6c8195176c
Author: Ben Kaduk <kaduk@mit.edu>
Date:   Mon Mar 4 18:22:34 2013 -0500

     Prescribe leap of faith for RegisterAddrsAndKey

     Bind a GSSAPI identity to fileserver UUID, needed to authenticate
     future operations on that database entry.  Also suggest periodic
     rekeying per best practice on key lifetimes.

     Change-Id: Idec26ee2184fd458186fcbdc4783dbea7d29b4eb

commit 34ed8c60f64b7c81cd0654b27cb8ee63b7621384
Author: Ben Kaduk <kaduk@mit.edu>
Date:   Mon Mar 4 16:54:59 2013 -0500

     Allow empty authenticator appdata opaque for bosserver

     We don't need a cache manager to talk to a bosserver (or potentially
     other non-db, non-fileservers) and may not have a stable UUID 
available.

     Change-Id: I28b62bf5f711066b8f43e2680d4abffa949b99cd

commit a1f731943b2522a84c1815f2f056c3f3398ce9c6
Author: Ben Kaduk <kaduk@mit.edu>
Date:   Mon Mar 4 16:47:03 2013 -0500

     Mention non-database non-files AFS servers

     E.g., bosserver, which must run a negotiation service for the
     bootstrapping stage.

     Change-Id: I83bb749310bf030c1f342a31d1e0e0217e249946

Author: Ben Kaduk <kaduk@mit.edu>
Date:   Mon Mar 4 16:13:43 2013 -0500

     Tweak RXGK error code descriptions

     Do not restrict BAD{LEVEL,ETYPE} to the negotiation RPCs.

     Change-Id: I9b581d31d342907cb6fdfbf3902a1c49137d3283

commit db73249fa194cb05dccd2de9a8e97794592e9cc5
Author: Ben Kaduk <kaduk@mit.edu>
Date:   Mon Mar 4 15:35:52 2013 -0500

     Talk about acceptor principal names for GSSNegotiate

     The client has to know the target principal's name; give it a
     suggestion for when it knows better.
     The server, however, should not specify a name, since that would
     be overly restrictive.

     Change-Id: I24481178aef93b40ae10097f9b76e3765431bbb0

commit e8d2457b4e2f33cee6bc684008edfdd250eb6275
Author: Ben Kaduk <kaduk@mit.edu>
Date:   Mon Mar 4 13:11:22 2013 -0500

     Attempt to make the GSS negotiation loop correct

     Describing these things is always challenging.

     Change-Id: I15ac1d7c8962aac6cd853cbcc404c55df52a8a04

commit bc8ffaf692db07ee5d87e95d03f95015c32b37e8
Author: Ben Kaduk <kaduk@mit.edu>
Date:   Mon Mar 4 12:35:40 2013 -0500

     RXGK challenges do not contain a version stamp

     Such a thing would be useless without discriminated unions, which
     we don't have yet.

     Change-Id: I5d06b3dd80a898701765f755fafa67ca97e1cd27

commit bab989047a2ab41b8f9825c4866355356fff8d8a
Author: Ben Kaduk <kaduk@mit.edu>
Date:   Mon Mar 4 12:31:40 2013 -0500

     Mention maxcalls support

     Now that the explicit variable has gone, add a mention of how to
     use call_numbers<> to determine the maximum number of calls per
     connection supported by this client.

     Change-Id: I46955a6465d911f894d0ae38979c0b9bed5bc430