[OpenAFS-devel] rx + kerberos5 + !des

Marcus Watts mdw@umich.edu
Sat, 14 May 2005 22:47:08 -0400


Where do we stand with respect to rx, kerberos, and anything better
than des?  I seem to recall Derrick promising something here by summer,
but with no real details.  I know there's a "rxgk" in the openafs
source, which looks interesting, but only does des, and claims to be
evolving into something that does gssapi, which looks like a hard
problem.   (NFSv4 does this by using "up" calls from the kernel...)
I gather rxgk is from the kth folks - I don't know if they've had time
to do more past what's in the openafs source.

There's 2 reasons I'm asking.  The first is that people here at the
university are moderately keen on getting rid of both kerberos 4 and
des.  Afs is the big obvious problem, but we've also got some smaller
stuff based on rx, such as uniqname, that also needs to get addressed.
The "other stuff" is stuff we'd like to address this summer.  For afs,
it obviously depends on where openafs goes and how fast, but it would
be good if things happened there as well.

The *other* reason I'm asking is because I may actually have some
interesting code for this.  After looking at rxgk, I figured it
couldn't hurt to try some simple experiments with authentication
mechanisms and rx.  After a relatively modest amount of time, I now
have just over 1000 lines of code which does rx, kerberos 5, and uses
whatever session key enctype it gets.  For my testing that's been rc6
(experimental hack), but it should work with whatever's in kerberos.
I've still got more work to do, but I believe I may be way ahead of
where rxgk is in terms of doing the things I want.

So, has anybody else done any work here?  Is what I've done of interest
to others?  Has anybody else done something that might be of interest
to me?

				-Marcus Watts
				UM ITCS Umich Systems Group