[OpenAFS] Separating AFS tokens generation from Authentication

Douglas E. Engert deengert@anl.gov
Wed, 10 Oct 2001 10:18:33 -0500 

AFS authentication and authorization have been based on Kerberos V4. 
When used with Kerberos V5,either the KDC must issue a K4 ticket, 
or a krb524d is required to convert V5 tickets to V4 tickets so they 
can be used for AFS tokens. 

We would like to separate the method used for authentication from the 
generation/use of the AFS tokens. 

As part of the Globus Project(tm), http://www.globus.org we working on an 
alternate solution, which allows other authentication methods to be used to 
obtain AFS tokens. 

This is accomplished by using GSSAPI from the client, gsiklog, to authenticate
to a daemon, gsiklogd, running on one or more of the AFS database server
machines. A request is then sent protected by the GSS to the daemon, who
returns an AFS token, also protected by the GSS. The daemon used the gss_inquire
functions to get the client's identity, and lifetime, and used these to construct
an AFS token, using a simple mapping database which maps GSS identities to AFS users.

Since the token is sent using the GSS wrap/unwrap, it is not encrypted is 
a Kerberos tgt session key. This completely separates the authentication from 
the token generation, and in our case the GSSAPI is based on SSL.

The gsiklog is a modified klog based on OpenAFS, and the gsiklogd is a modified
gss demo program which calls routines based on OpenAFS to generate tokens. You 
will need the Transarc or OpenAFS libs and includes and a GSSAPI implementation. 

The gsiklog and gsiklog could also be used with the Kerberos GSSAPI. Doing this
means you don't need a KDC which understands V4, or a krb524d.  It also means that
one could use stronger keys for authentication with Kerberos V5, yet still
use the DES keys with the tokens, or even update the keys in the tokens, separate
from the authentication. It also means that future tokens are not required to be
based on V4 or V5 tickets, but could use some other format. 

If anyone is interested a beta version of this is available at:
ftp://achilles.ctd.anl.gov/pub/DEE/gsiklog-0.9.tar

Comments?






 
 



-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444