[OpenAFS] Support for Kerberos V
Simon Wilkinson
sxw@inf.ed.ac.uk
Fri, 6 Nov 2009 14:33:22 +0000
On 6 Nov 2009, at 13:52, Jaap Winius wrote:
> Hi all,
>
> What's the state of support for Kerberos V in the current version of
> OpenAFS? For instance, is pre-authentication supported yet?
You've been able to run OpenAFS with the REQUIRES_PREAUTH flag set on
the afs/<cell>@REALM principal for at least the last 5 years. You will
encounter problems if your realm doesn't have REQUIRES_PREAUTH set on
its krbtgt service, or if you accept cross-realm tickets from realms
which don't have preauth turned on.
There are two projects which will bring more complete Kerberos V
support to AFS (in particular, support for a wider range of encryption
types). Marcus Watt's rxk5 is functionally complete, but a number of
issues have to be addressed before it can be merged to the mainline. I
can't speak to timescales for this - I guess it depends very much on
how much time Marcus has to spend on it.
The second project is 'rxgk' - this will add support for all GSSAPI
based security mechanisms, which includes Kerberos V. There is funding
for the development of this, and there is a delivery deadline of
August next year. It will then have to be integrated with the
development branch, and progress into stable. Whilst I'd hope that
process will be relatively fast, our past record of getting stable
releases out of the door in a timely fashion isn't great.
Hope that helps!
Simon.