[OpenAFS] Separating AFS tokens generation from Authenticatio n

Neulinger, Nathan nneul@umr.edu
Wed, 10 Oct 2001 10:24:18 -0500 

Interesting... will take a look, does sounds promising particular for
integration with NT...

Yucky tar file though that extracts into src/*... But that's just cosmetic.
:)

-- Nathan

> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert@anl.gov]
> Sent: Wednesday, October 10, 2001 10:19 AM
> To: OpenAFS-info@openafs.org
> Cc: security@gobus.org
> Subject: [OpenAFS] Separating AFS tokens generation from 
> Authentication
> 
> 
> AFS authentication and authorization have been based on Kerberos V4. 
> When used with Kerberos V5,either the KDC must issue a K4 ticket, 
> or a krb524d is required to convert V5 tickets to V4 tickets so they 
> can be used for AFS tokens. 
> 
> We would like to separate the method used for authentication from the 
> generation/use of the AFS tokens. 
> 
> As part of the Globus Project(tm), http://www.globus.org we 
> working on an 
> alternate solution, which allows other authentication methods 
> to be used to 
> obtain AFS tokens. 
> 
> This is accomplished by using GSSAPI from the client, 
> gsiklog, to authenticate
> to a daemon, gsiklogd, running on one or more of the AFS 
> database server
> machines. A request is then sent protected by the GSS to the 
> daemon, who
> returns an AFS token, also protected by the GSS. The daemon 
> used the gss_inquire
> functions to get the client's identity, and lifetime, and 
> used these to construct
> an AFS token, using a simple mapping database which maps GSS 
> identities to AFS users.
> 
> Since the token is sent using the GSS wrap/unwrap, it is not 
> encrypted is 
> a Kerberos tgt session key. This completely separates the 
> authentication from 
> the token generation, and in our case the GSSAPI is based on SSL.
> 
> The gsiklog is a modified klog based on OpenAFS, and the 
> gsiklogd is a modified
> gss demo program which calls routines based on OpenAFS to 
> generate tokens. You 
> will need the Transarc or OpenAFS libs and includes and a 
> GSSAPI implementation. 
> 
> The gsiklog and gsiklog could also be used with the Kerberos 
> GSSAPI. Doing this
> means you don't need a KDC which understands V4, or a 
> krb524d.  It also means that
> one could use stronger keys for authentication with Kerberos 
> V5, yet still
> use the DES keys with the tokens, or even update the keys in 
> the tokens, separate
> from the authentication. It also means that future tokens are 
> not required to be
> based on V4 or V5 tickets, but could use some other format. 
> 
> If anyone is interested a beta version of this is available at:
> ftp://achilles.ctd.anl.gov/pub/DEE/gsiklog-0.9.tar
> 
> Comments?
> 
> 
> 
> 
> 
> 
>  
>  
> 
> 
> 
> -- 
> 
>  Douglas E. Engert  <DEEngert@anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439 
>  (630) 252-5444
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>