[OpenAFS-devel] configurable cryptosystem support
Jim Rees
rees@umich.edu
Fri, 19 Jan 2007 09:56:28 -0500
The approach we took in nfs was to do the crypto (encrypt, decrypt, sign,
etc) in the kernel for performance, and the rest of the stuff (kerberos
protocol, context generation) in a user space daemon. The kernel part is a
wrapper around the kernel's native crypto. Right now this is very linux
specific, but it doesn't seem to me it would be that hard to provide
wrappers for the platforms we support. Especially if we can decide up front
that afs will only use des (for backward compatibility) and aes (for
example).
In my wildest dreams, the user daemon (gssd) is portable and runs on linux,
bsd, solaris, and anything else we care about, and supports both afs and
nfs. But then I wake up and realize that won't happen in our lifetimes.
Even though CITI controls gssd and is involved in both nfs and afs.