[OpenAFS-devel] rxk5 branch is ready; please test

Jim Rees rees@umich.edu
Thu, 13 Dec 2007 14:56:30 -0500 

For the past year or more, Matt Benjamin and Marcus Watts have been working
hard on developing rxk5, a new security mechanism for OpenAFS.  It uses
kerberos 5 tickets and encryption algorithms straight, and includes support
for all standard kerberos 5 encryption types including AES256.

The code is currently on a branch tagged rxk5-devel-1_5_x.  Our plan is to
merge it to the openafs-devel-1_5_x branch, from which it will eventually
make its way into an official OpenAFS release at some time in the future.

Please test this code.  Even if you don't plan to use any of the rxk5
features, please build it and report back here.

== About rxk5 ==

Rxk5 is a new security mechanism for OpenAFS.  It uses kerberos 5 tickets
and encryption algorithms straight, and includes support for all standard
kerberos 5 encryption types including AES256.  The exact encryption type
used is decided by the kerberos kdc based on the key types stored in
kerberos, and the intersection of the key types supported by the kernel &
userland kerberos libraries on the client machine.  Rxk5 service is
"per-cell"; all servers in a cell must be upgraded to support rxk5 before it
can be turned on.  However, rxk5 enabled servers can continue to support
rxkad access, and rxk5 clients can use both rxk5 and rxkad to talk to
different cells.  At authentication time, users can force the use of either
rxkad or rxk5, or let the software automatically choose rxk5 when the remote
kdc is willing to issue rxk5 tickets.

With the introduction of rxk5, kaserver is "deprecated" and no longer built
as a standard feature.  aklog is augumented to support rxk5.  A new version
of klog is provided which does kerberos 5 natively (earlier versions of this
have already appeared other branches of OpenAFS).  The old version of klog
is still built by default but installed as "klog.ka", for use with cells
that choose to continue only supporting kaserver or kerberos 4.

rxk5 should build with recent versions of heimdal & MIT kerberos.  Note that
some vendor releases of MIT kerberos do not necessarily export all symbols
needed by rxk5.  You may need to acquire the latest vendor release or build
from source to get acceptable results.  The rxk5 security mechanism proper
also includes experimental support for Shishi; sadly, use of this with
OpenAFS is problematic due to license conflicts.

rxk5 at this point should be considered "beta" quality - it should work, but
it has not yet received wide-spread testing & there are some remaining rough
edges that need improving.  Rxk5 should work on all architectures, including
windows.  rxk5 is an optional feature; if you do not enable it, your toes
will probably not rot off, at least not right away.  Test reports from users
are welcome.

Other features in the rxk5 branch that aren't particularly rxk5-specific,
but happen to be here because the developers aren't as smart as you so
couldn't hack 64,000 different source branches: improved linux kernel
configuration (pulls configuration paramters out of the linux build
scripts), and "pts -localauth", which also makes it possible to more easily
initialize a pt database without using "pt_util" or "bos setauth".  These
improvements are not conditioned by enabling rxk5.