On Thu, 2013-02-14 at 15:02 +0000, Simon Wilkinson wrote: > That's a Kerberos principal, we've been talking in terms of GSS > identities (which use @ instead of / as a component separator)
Well, no. GSS-API host-based names use '@' to separate a service name from a hostname. That's the syntax of a particular name type, not a general GSS-API component separator. If we decide we don't want to tie fileservers to a particular hostname, then we need to give them some other form of identity. Possibly, the right thing to is for AFS to include an interface by which a fileserver first registers itself and establishes a shared key with the VLDB. A new fileserver that does not already have a key would call this interface to exchange keys with the vlserver, after which the newly-generated key would be associated with the new fileserver's UUID (which is also newly-generated and must not already be in the VLDB). The difficulty lies in authenticating this exchange. There's really no reason why we have to limit who can register as a fileserver (though for operational reasons, some sites might want to). However, a fileserver calling the key-establishment interface needs to be able to trust the identity of the vlserver. In practice, I think that means the new fileserver (or some register-fs program) will use a Kerberos host key or an administrator's credentials to authenticate the establish-key RPC, mostly for mutual-auth. -- Jeff _______________________________________________ AFS3-standardization mailing list [email protected] http://lists.openafs.org/mailman/listinfo/afs3-standardization
