On 14 Feb 2013, at 22:43, Benjamin Kaduk wrote: > On Thu, 14 Feb 2013, Andrew Deason wrote:
>> Can't we have it use either afs3-bos@host or afs-rxgk@_afs.cell? It >> seems unnecessary to require the generation of a new identity for each >> bosserver, if they're all allowed to have the cell-wide key, unless I'm >> missing something. > > That seems like an implementation decision which need not be standardized, > but yes, we could. Implementing this would be tricky. You'd have to require that both keys were present in the same keytab, and then have gss_accept_sec_context accept any credential, and then export the accepted name and check that it matched either of the keys that you were prepared to accept. Doing that in a way that is mechanism independent isn't possible with stock GSSAPI (we hit this problem with OpenSSH). Doing it in a mechanism specific fashion requires all sorts of nastiness around gss_export_name. > Simon doesn't like the idea, though. The idea I was previously not keen on is allowing either a bos-specific rxgk token, or a cell-wide rxgk token to be used in connections to the bosserver, as it opens up all sorts of complications when you're trying to decrypt it. I think I'm even less keen on this idea, though :) Cheers, Simon. _______________________________________________ AFS3-standardization mailing list [email protected] http://lists.openafs.org/mailman/listinfo/afs3-standardization
