[OpenAFS-devel] rxk5 branch is ready; please test
Douglas E. Engert
deengert@anl.gov
Thu, 20 Dec 2007 10:15:53 -0600
This is a multi-part message in MIME format.
--------------050302040102030500080809
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Jim Rees wrote:
> For the past year or more, Matt Benjamin and Marcus Watts have been working
> hard on developing rxk5, a new security mechanism for OpenAFS. It uses
> kerberos 5 tickets and encryption algorithms straight, and includes support
> for all standard kerberos 5 encryption types including AES256.
>
> The code is currently on a branch tagged rxk5-devel-1_5_x. Our plan is to
> merge it to the openafs-devel-1_5_x branch, from which it will eventually
> make its way into an official OpenAFS release at some time in the future.
>
> Please test this code. Even if you don't plan to use any of the rxk5
> features, please build it and report back here.
I can build on Solaris 10 using the Solaris Kerberos.
export KRB5CFLAGS="-I/usr/include/kerberosv5"
export KRB5LIBS="/usr/lib/gss/mech_krb5.so -R/usr/lib/gss"
./configure --enable-transarc-paths \
--with-krb5=yes \
--enable-rxk5 \
--enable-debug \
--enable-namei-fileserver \
--enable-largefile-fileserver \
--host=sparc-sun-solaris2.10
You say below there are still issues with MIT kerberos. Solaris may
have these same issues, as it is based on MIT. I have not gotten
far enought to test yet.
The attached cvs diff file fixes these problems:
aklog_main.c code was changed, and did not support the HAVE_NO_KRB5_524
correctly. It appears that the -unwrap should also work with out the 524.
comerr/error_msg.c needs to include the add_error_table code, and should
use the HAVE_ADD_ERR_R_TABLE
While trying to build the rxk5 tests, the Sun compiler does not like
__FUNCTION__, so I replaced it.
The afsauthent.proto has a reference for xdr_rxk5_principal. This is
either not needed, or the xdr code is not being generated. To get it
to compile and link, I removed it.
src/util/assert.h defines assert as a statement. /usr/include/kerberos5/krb5.h
uses abort which cpp converts to assert but it is used as an expression. The
compiler, gives an error. The new assert can be used as an expression or
a statement.
>
> == About rxk5 ==
>
> Rxk5 is a new security mechanism for OpenAFS. It uses kerberos 5 tickets
> and encryption algorithms straight, and includes support for all standard
> kerberos 5 encryption types including AES256. The exact encryption type
> used is decided by the kerberos kdc based on the key types stored in
> kerberos, and the intersection of the key types supported by the kernel &
> userland kerberos libraries on the client machine. Rxk5 service is
> "per-cell"; all servers in a cell must be upgraded to support rxk5 before it
> can be turned on. However, rxk5 enabled servers can continue to support
> rxkad access, and rxk5 clients can use both rxk5 and rxkad to talk to
> different cells. At authentication time, users can force the use of either
> rxkad or rxk5, or let the software automatically choose rxk5 when the remote
> kdc is willing to issue rxk5 tickets.
>
> With the introduction of rxk5, kaserver is "deprecated" and no longer built
> as a standard feature. aklog is augumented to support rxk5. A new version
> of klog is provided which does kerberos 5 natively (earlier versions of this
> have already appeared other branches of OpenAFS). The old version of klog
> is still built by default but installed as "klog.ka", for use with cells
> that choose to continue only supporting kaserver or kerberos 4.
>
> rxk5 should build with recent versions of heimdal & MIT kerberos. Note that
> some vendor releases of MIT kerberos do not necessarily export all symbols
> needed by rxk5. You may need to acquire the latest vendor release or build
> from source to get acceptable results. The rxk5 security mechanism proper
> also includes experimental support for Shishi; sadly, use of this with
> OpenAFS is problematic due to license conflicts.
>
> rxk5 at this point should be considered "beta" quality - it should work, but
> it has not yet received wide-spread testing & there are some remaining rough
> edges that need improving. Rxk5 should work on all architectures, including
> windows. rxk5 is an optional feature; if you do not enable it, your toes
> will probably not rot off, at least not right away. Test reports from users
> are welcome.
>
> Other features in the rxk5 branch that aren't particularly rxk5-specific,
> but happen to be here because the developers aren't as smart as you so
> couldn't hack 64,000 different source branches: improved linux kernel
> configuration (pulls configuration paramters out of the linux build
> scripts), and "pts -localauth", which also makes it possible to more easily
> initialize a pt database without using "pt_util" or "bos setauth". These
> improvements are not conditioned by enabling rxk5.
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--------------050302040102030500080809
Content-Type: text/plain;
name="rxk5.solaris10.diff.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="rxk5.solaris10.diff.txt"
Index: src/aklog/aklog_main.c
===================================================================
RCS file: /cvs/openafs/src/aklog/aklog_main.c,v
retrieving revision 1.12.2.2.2.2
diff -u -r1.12.2.2.2.2 aklog_main.c
--- src/aklog/aklog_main.c 26 Sep 2007 16:34:17 -0000 1.12.2.2.2.2
+++ src/aklog/aklog_main.c 20 Dec 2007 15:47:17 -0000
@@ -740,11 +740,9 @@
* construct a encpart only 2b style ticket.
*/
-#ifndef HAVE_NO_KRB5_524
+/* if HAVE_NO_KRB5_524 defind, do524 will be DO524_NO or DO524_LOCAL */
+
if (do524 != DO524_YES) {
-#else
- {
-#endif
char *p;
int len;
@@ -791,8 +789,6 @@
memcpy(atoken.ticket, enc_part->data, atoken.ticketLen);
}
#ifndef HAVE_NO_KRB5_524
- }
-#else
} else {
CREDENTIALS cred;
@@ -828,6 +824,7 @@
atoken.ticketLen = cred.ticket_st.length;
memcpy(atoken.ticket, cred.ticket_st.dat, atoken.ticketLen);
#endif /* HAVE_NO_KRB5_524 */
+ }
if (!force &&
!ktc_GetToken(&aserver, &btoken, sizeof(btoken), &aclient) &&
@@ -1391,8 +1388,8 @@
fprintf(stderr, " -setpag set the AFS process authentication group.\n");
#ifndef HAVE_NO_KRB5_524
fprintf(stderr, " -524 means use the 524 converter instead of V5 directly\n");
- fprintf(stderr, " -unwrap means do the 524 conversion locally\n");
#endif
+ fprintf(stderr, " -unwrap means do the 524 conversion locally\n");
#ifdef AFS_RXK5
fprintf(stderr, " -k5 means do rxk5 (kernel uses V5 tickets)\n");
fprintf(stderr, " -k4 means do rxkad (kernel uses V4 or 2b tickets)\n");
@@ -1477,9 +1474,9 @@
#ifndef HAVE_NO_KRB5_524
else if (strcmp(argv[i], "-524") == 0)
do524 = DO524_YES;
+#endif
else if (strcmp(argv[i], "-unwrap") == 0)
do524 = DO524_LOCAL;
-#endif
#ifdef AFS_RXK5
else if (strcmp(argv[i], "-k4") == 0)
rxk5 = FORCE_RXKAD;
Index: src/comerr/error_msg.c
===================================================================
RCS file: /cvs/openafs/src/comerr/error_msg.c,v
retrieving revision 1.6.14.2
diff -u -r1.6.14.2 error_msg.c
--- src/comerr/error_msg.c 26 Sep 2007 16:34:28 -0000 1.6.14.2
+++ src/comerr/error_msg.c 20 Dec 2007 15:47:17 -0000
@@ -169,7 +169,7 @@
UNLOCK_ET_LIST;
}
-#if 0
+#ifndef HAVE_ADD_ERROR_TABLE
/*
* New interfaces provided by mit krb5's com_err library
*/
Index: src/rxk5/servconn.c
===================================================================
RCS file: /cvs/openafs/src/rxk5/Attic/servconn.c,v
retrieving revision 1.1.4.3
diff -u -r1.1.4.3 servconn.c
--- src/rxk5/servconn.c 26 Sep 2007 16:34:49 -0000 1.1.4.3
+++ src/rxk5/servconn.c 20 Dec 2007 15:47:19 -0000
@@ -584,7 +584,7 @@
#endif
Out:
- if (code) afs_com_err(__FUNCTION__, code, when);
+ if (code) afs_com_err(__FILE__||"k5_get_cred", code, when);
#ifdef USING_SHISHI
if (hint->server)
free(hint->server);
Index: src/shlibafsauthent/afsauthent.proto
===================================================================
RCS file: /cvs/openafs/src/shlibafsauthent/Attic/afsauthent.proto,v
retrieving revision 1.1.2.1
diff -u -r1.1.2.1 afsauthent.proto
--- src/shlibafsauthent/afsauthent.proto 26 Sep 2007 16:34:53 -0000 1.1.2.1
+++ src/shlibafsauthent/afsauthent.proto 20 Dec 2007 15:47:19 -0000
@@ -65,7 +65,6 @@
<rxk5>
initialize_RXK5_error_table
add_afs_token_rxk5
-xdr_rxk5_principal
<all>
free_afs_token
encode_afs_token
Index: src/util/assert.h
===================================================================
RCS file: /cvs/openafs/src/util/assert.h,v
retrieving revision 1.4
diff -u -r1.4 assert.h
--- src/util/assert.h 14 Jan 2003 00:46:48 -0000 1.4
+++ src/util/assert.h 20 Dec 2007 15:47:19 -0000
@@ -12,4 +12,4 @@
void AssertionFailed(char *file, int line);
-#define assert(ex) do{if (!(ex)) AssertionFailed(__FILE__, __LINE__);}while(0)
+#define assert(ex) (void)((ex)?0:(AssertionFailed(__FILE__, __LINE__),0))
--------------050302040102030500080809--