Re: Anyone working on a Win2k/GSSAPI/SSPI version of aklog?

Mon, 27 Mar 2000 04:28:50 +0200 (MET DST) 



Dug Song wrote:
> 
> On Fri, 17 Mar 2000, Ken Hornstein wrote:
> 
> > I'm not sure how a GSS-API aklog would _work_.  You're not
> > authenticating _to_ anything ... you're getting a service ticket that
> > you're cramming into the kernel (after converting it to V4).  How
> > would you use GSS-API in that case?
> 
> this is nasty and wrong, but...
> 
> perhaps you could just call gss_init_sec_context() once with the krb5
> mechanism and "afs" service specified, and convert the krb5 service ticket
> returned (as a GSS token) to a krb4 ticket to be poked away somewhere.
> 

The client can not do this alone, as the AFS token is the encrypted part
of the K4 ticket. That is what aklog/krb524 and krb524d do.  

Perhaps a GSSAPI version of aklog and krb452d might be a better choice. 
In this case the aklog does not have any K5 code at all! It would rely
on the krb524d to use the service ticket, to construct the K4 token/ticket,
then use gss_wrap to return it.    

This then requires a GSSAPI on the Windows machine, which could be the MIT
K5 distribution, or could be the SAP GSSAPI over SSPI. (Or could be a
SSPI directly rather then GSSAPI.)  

Since Microsoft has said the Kerberos SSPI would be wire compatible with 
the K5 GSSAPI there is no need for the client to have to try and break out
the ticket, but rather take advantage of the GSSAPI/SSPI to authenticate
the session to krb524d. 

> the only reason i can see to do this would be to use the underlying,
> native win2k krb5 implementation to acquire the initial afs@REALM ticket,
> so that you'd only have to port over the 524 conversion routines/service,
> not an entire Kerberos distribution.

This initial afs@REALM would be the service name for krb524d. Using the GSSAPI
to do the authenticated connection means there is even less krb524 code
to port, as all the K5 code is hidden in the GSSAPI. Only the AFS token
code would be needed, and the AFS token would be returned via gss_unwrap.  

With our ak5log code we get a K5 ticket for afsx/<afscell>@<k5realm>
Then have krb524d convert this to K4/AFS token for afs@<afscell>

This treats AFS as just another service, and multiple K5 realms can hand out
tickets for multiple AFS cells. The afscell and k5realm can be independent. 

> 
> ---
> http://www.monkey.org/~dugsong/

-- 

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

Reply via email to