For the past year or more, Matt Benjamin and Marcus Watts have been working hard on developing rxk5, a new security mechanism for OpenAFS. It uses kerberos 5 tickets and encryption algorithms straight, and includes support for all standard kerberos 5 encryption types including AES256.
The code is currently on a branch tagged rxk5-devel-1_5_x. Our plan is to merge it to the openafs-devel-1_5_x branch, from which it will eventually make its way into an official OpenAFS release at some time in the future. Please test this code. Even if you don't plan to use any of the rxk5 features, please build it and report back here. == About rxk5 == Rxk5 is a new security mechanism for OpenAFS. It uses kerberos 5 tickets and encryption algorithms straight, and includes support for all standard kerberos 5 encryption types including AES256. The exact encryption type used is decided by the kerberos kdc based on the key types stored in kerberos, and the intersection of the key types supported by the kernel & userland kerberos libraries on the client machine. Rxk5 service is "per-cell"; all servers in a cell must be upgraded to support rxk5 before it can be turned on. However, rxk5 enabled servers can continue to support rxkad access, and rxk5 clients can use both rxk5 and rxkad to talk to different cells. At authentication time, users can force the use of either rxkad or rxk5, or let the software automatically choose rxk5 when the remote kdc is willing to issue rxk5 tickets. With the introduction of rxk5, kaserver is "deprecated" and no longer built as a standard feature. aklog is augumented to support rxk5. A new version of klog is provided which does kerberos 5 natively (earlier versions of this have already appeared other branches of OpenAFS). The old version of klog is still built by default but installed as "klog.ka", for use with cells that choose to continue only supporting kaserver or kerberos 4. rxk5 should build with recent versions of heimdal & MIT kerberos. Note that some vendor releases of MIT kerberos do not necessarily export all symbols needed by rxk5. You may need to acquire the latest vendor release or build from source to get acceptable results. The rxk5 security mechanism proper also includes experimental support for Shishi; sadly, use of this with OpenAFS is problematic due to license conflicts. rxk5 at this point should be considered "beta" quality - it should work, but it has not yet received wide-spread testing & there are some remaining rough edges that need improving. Rxk5 should work on all architectures, including windows. rxk5 is an optional feature; if you do not enable it, your toes will probably not rot off, at least not right away. Test reports from users are welcome. Other features in the rxk5 branch that aren't particularly rxk5-specific, but happen to be here because the developers aren't as smart as you so couldn't hack 64,000 different source branches: improved linux kernel configuration (pulls configuration paramters out of the linux build scripts), and "pts -localauth", which also makes it possible to more easily initialize a pt database without using "pt_util" or "bos setauth". These improvements are not conditioned by enabling rxk5. _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
