[OpenAFS] Some questions about the future of OpenAFS
Jeffrey Hutzelman
jhutz@cmu.edu
Mon, 29 Apr 2002 19:46:41 -0400 (EDT)
On Mon, 22 Apr 2002, Ken Hornstein wrote:
> >1) Is there a time table for converting AFS to be a Kerberos V5 service?
> >(I.E., no need for krb524d, no need to use asetkey to grab the Key from
> >a keytab into the Keyfile but instead just using a keytab like other V5
> >services, etc.)
>
> My understanding is that there is work taking place in this arena, but it
> is a significant effort (I believe a lot of the protocol design work is
> done, but no code has been written yet). Others could speak to this better.
Yes; most of the protocol design work has been done and even redone. At
this point, we have (courtest of Love) a proof-of-concept implementation
which allows an Rx connection to be authenticated using the krb5 GSSAPI
mechanism.
Unfortunately, that still puts us a long way from having a complete AFS
system working using something other than krb4. Besides the cleanup and
work that still needs to be done on the rxgss security class itself,
there's an awful lot of integration work to be done. We still haven't
worked out exactly what the interface between the cache manager and
user-land auth code will look like, and there are also a number of
issues related to the ptserver.
Once all of those issues have been worked out, we'll have to update many
of the AFS components which currently know only about rxkad to also work
with rxgss. I'm beginning to think this may involve a new abstraction, or
some changes to the existing ktc interface, so that individual apps don't
need to know all about the authentication details.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA