[OpenAFS] Some questions about the future of OpenAFS

Douglas E. Engert deengert@anl.gov
Tue, 30 Apr 2002 08:40:57 -0500 

Derrick J Brashear wrote:
> 
> On Mon, 29 Apr 2002, Douglas E. Engert wrote:
> 
> > Yes. Its the same old K4 token.
> >
> > But this can now allow for the development of changes to the tokens independently
> > of the authentication method. i.e. maybe a token2 could be defined which
> > used a 3des or AES key, yet was still simple and small like the current tokens.
> >
> > Its a first step in an evolutionary process to improve AFS security.
> 
> (Speaking for myself only) the only improvement I see in this is you don't
> need any kerberos. You'll have no trouble convincing me that people are
> turned off by the complexity of Kerberos (never mind that the kaserver,
> while it has its problems, is incredibly simple to configure and
> administer) but from where I'm sitting you lost that battle as soon as you
> mentioned X509

The Globus Project uses GSSAPI for authentication, and can use Kerberos V5
(with some extensions) or the GSI (GSSAPI over SSL with X509 certificates) 
The project prefers the GSI, with the Kerberos being used only where 
it is already in place. Globus has sites which have AFS but not Kerberos V5,
and will be using the GSI. So the gssklog was originally designed for them.
Delegated credentials are used to authenticate to the gssklogd to get an AFS 
token automatically by the Globus gatekeeper (similar to inetd) for example.  

I like Kerberos, V5 not V4. We have used DCE security servers as KDCs in the 
past as well as W2K domain controllers. Both of which supported only V5. We 
are running the krb524 just for AFS. We would like to get rid of it. The 
gssklog with a Kerberos V5 GSSAPI can do that too. 

So look at the separation of the authentication from the token generation as a
way to give you, the OpenAFS developer, more flexibility in designing the next 
generation of the AFS token. Tokens don't have to continue to be Kerberos tickets, 
as they are used internally only by AFS.

This also allows the AFS cell to accept authentication by multiple means. The 
current klog and kaserver, the krb524d route, the K5 GSSAPI and the GSI. Other 
could also be added too. Thus the AFS cell can be thought of separately from a 
Kerberos realm. The cell then represents the common set of servers which use 
the same authorization data base.

> 
> -D
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444