[OpenAFS-devel] rx + kerberos5 + !des

Marcus Watts mdw@umich.edu
Mon, 16 May 2005 18:39:02 -0400 

Jeffrey Altman <jaltman@columbia.edu> writes:
> Marcus:
> 
> The current plan is to use GSS for security context negotiation and
> authentication; use the new GSS Pseudo-Random Function API being
> produced by the IETF Kitten working group to export key data which
> will then be used with the Kerberos Crypto functionality to provide
> for privacy and integrity protection.
> 
> The primary work on this effort is being done by Love.
> 
> Jeffrey Altman

Do you have any idea of a timeframe here?  As best I can tell, Love has
been working on rx+k5+gssapi since 2003?...  There is a version of rxgk
in openafs, but it doesn't look very complete.  The latest arla release
just has an empty directory for rxgk.

Once he has something that works, seems to me there's still going to be
lots of work to integrate this into openafs.  Just for starters, I
expect he'll be working with heimdal+arla.  Is there a plan to move
openafs towards requiring the use of heimdal or are there plans to make
this work with mit kerberos or other kerberos implementations as well?
Arla is of course a userspace implementation; the openafs cache manager
runs in kernel mode and doesn't have the userland environment that the
existing gssapi libraries (or kerberos) expect.  Are there plans to change
the openafs cache manager to run in userland, or is the plan to run some
sort of userland proxy that will run the gssapi and kerberos code?  If the
latter, how tightly integrated will those calls be with the rx protocol,
and how many up/down calls will be needed?  In either case, how will these
things get to the ticket file or kernel token?

For what it's worth, I'm going to continue to plug away at what I've
got.  I've got both "safe" (checksum) and "private" (encrypted) modes
working.  I'll probably be ready to make a snapshot of this available
soon, if anybody's interested.

I'll read up on "kitten" as well.  Is there a working implementation
of this yet?  Any particular RFCs?

				-Marcus Watts
				UM ITCS Umich Systems Group