[OpenAFS] my afs wish list

Douglas E. Engert deengert@anl.gov
Wed, 30 Apr 2003 09:28:41 -0500 

Charles Clancy wrote:
> 
> Any thought to switching over to a pure GSS implementation?  Not only use
> it for authentication (i.e. gssklog), but also for end-to-end encryption
> too.  Then the ciphers used would be a function of the underlying security
> architecture, and completely independent of AFS.

The gssklog works well, because it disassociates the authentication method
from the inter workings of the token. This allows for use of any GSS to 
authenticate to a gssklogd. 

The gssklogd maps the GSS client_name to the AFS cell principal, 
using some internal mappings. It sets the lifetime of the token
based on the credential lifetime. 

We have run it with K5 GSSAPI, and with the Globus GSI which uses X509
certificates and SSL. In each case the gssklogd makes up a traditional 
AFS token, and returns it to the gssklog client via gss_wrap
The token is then handed off to the cache manager. 


This added flexibility allows AFS internally to use what ever it
wants for the tokens, k4 or k5 tickets. The gssklogd is in effect
issuing a Kerberos ticket for its own service, as it has access to to the 
afs keys. This actually means that the AFS cell is more about authorization 
then it is about authentication. The cell can accept authentication from
a number of different Kerberos realms, or other authentication mechanisms,
and can use whatever encryption it wants internally. 
 

See: ftp://achilles.ctd.anl.gov/pub/DEE/README.GSSKLOG
and  ftp://achilles.ctd.anl.gov/pub/DEE/gssklog-0.6.tar  


> 
> The cool thing is that you could use something like SESAME instead of
> Kerberos.  For that matter, you could even use SSL and authenticate with
> certificates.  I don't even want to think about the amount of work
> required, but would such flexibility be useful?
> 
> [ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]
> [ crypto ]---[ coordinated science lab ]---[ university of illinois ]
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444