[OpenAFS] Some questions about the future of OpenAFS
Jeffrey Hutzelman
jhutz@cmu.edu
Mon, 29 Apr 2002 19:40:35 -0400 (EDT)
On Mon, 22 Apr 2002, Douglas E. Engert wrote:
> The gssklog programs I have been working on for the Globus Project,
> http://www.globus.org use a different GSSAPI, based on SSL and X509.
> Useful at sites where there is Globus and AFS but no Kerberos V5.
> But was designed to use with Kerberos GSSAPI as well. I am back working
> on this.
>
> Not only does the use of GSSAPI eliminate the need for krb524, but could
> actually free AFS to use something other then Kerberos or Kerberos code
> for tokens. For example use the OpenSSL or OpenSSH crypto routines.
Be careful not to give the wrong impression here, Doug. Correct me if
I'm wrong, but my understanding is that while gssklog does allow the use
of an arbitrary GSS mechanism to authenticate users, the "token" you end
up with is still nothing more than a single-DES key and some information
about the user's identity, formatted as a Kerberos V4 ticket. So, we're
still talking about single-DES and fcrypt.
There are certainly plenty of installations where this could be useful,
but there are also problems it doesn't address. Particularly, no matter
what crypto algorithms or authentication protocols you use to obtain the
token, both the user's identity as seen by the fileserver and the traffic
between the user and fileserver are still protected by nothing stronger
than single-DES (and in fact, some parts are protected only by the weaker
fcrypt).
-- Jeff