[OpenAFS] Some questions about the future of OpenAFS

Douglas E. Engert deengert@anl.gov
Mon, 29 Apr 2002 21:52:23 -0500


Yes. Its the same old K4 token. 

But this can now allow for the development of changes to the tokens independently
of the authentication method. i.e. maybe a token2 could be defined which 
used a 3des or AES key, yet was still simple and small like the current tokens.

Its a first step in an evolutionary process to improve AFS security.

Jeffrey Hutzelman wrote:
> 
> On Mon, 22 Apr 2002, Douglas E. Engert wrote:
> 
> > The gssklog programs I have been working on for the Globus Project,
> > http://www.globus.org use a different GSSAPI, based on SSL and X509.
> > Useful at sites where there is Globus and AFS but no Kerberos V5.
> > But was designed to use with Kerberos GSSAPI as well. I am back working
> > on this.
> >
> > Not only does the use of GSSAPI eliminate the need for krb524, but could
> > actually free AFS to use something other then Kerberos or Kerberos code
> > for tokens. For example use the OpenSSL or OpenSSH crypto routines.
> 
> Be careful not to give the wrong impression here, Doug.  Correct me if
> I'm wrong, but my understanding is that while gssklog does allow the use
> of an arbitrary GSS mechanism to authenticate users, the "token" you end
> up with is still nothing more than a single-DES key and some information
> about the user's identity, formatted as a Kerberos V4 ticket.  So, we're
> still talking about single-DES and fcrypt.
> 
> There are certainly plenty of installations where this could be useful,
> but there are also problems it doesn't address.  Particularly, no matter
> what crypto algorithms or authentication protocols you use to obtain the
> token, both the user's identity as seen by the fileserver and the traffic
> between the user and fileserver are still protected by nothing stronger
> than single-DES (and in fact, some parts are protected only by the weaker
> fcrypt).
> 
> -- Jeff

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444