[OpenAFS] Separating AFS tokens generation from Authenticatio n

[Jeffrey Hutzelman]

On 10 Oct 2001, Derek Atkins wrote:

> Leif Johansson <leifj@it.su.se> writes:
> 
> > On Wed, Oct 10, 2001 at 10:24:18AM -0500, Neulinger, Nathan wrote:
> > > Interesting... will take a look, does sounds promising particular for
> > > integration with NT...
> > > 
> > > Yucky tar file though that extracts into src/*... But that's just cosmetic.
> > 
> > Both name-space mapping and alternative authentication mechanisms for
> > rx were discussed at the Arla Hackathon in Stockholm two weeks ago. 
> 
> Indeed, I would much rather see GSS incorporated directly into rxkad.
> Then again, I'd also like to see each AFS server have its own key
> instead of using a single shared key across all servers in a cell.

Since the hackathon, I've been working, slowly, on the development of a
new security class (rxgss) which will provide GSSAPI-based security for
rx-using applications, including OpenAFS and Arla.  Unlike a number of
solutions that have been implemented to date, this will result in actually
using modern authentication and encryption technologies to secure AFS
traffic.  Method in use today, including afslog, Ken Hornstein's V5 aklog,
and the stuff that Doug has described, all simply use modern methods to
obtain a Kerberos V4 ticket, which is then used in the traditional way,
fcrypt and all.