Jim Rees wrote:
For the past year or more, Matt Benjamin and Marcus Watts have been working
hard on developing rxk5, a new security mechanism for OpenAFS. It uses
kerberos 5 tickets and encryption algorithms straight, and includes support
for all standard kerberos 5 encryption types including AES256.
The code is currently on a branch tagged rxk5-devel-1_5_x. Our plan is to
merge it to the openafs-devel-1_5_x branch, from which it will eventually
make its way into an official OpenAFS release at some time in the future.
Please test this code. Even if you don't plan to use any of the rxk5
features, please build it and report back here.
I can build on Solaris 10 using the Solaris Kerberos.
export KRB5CFLAGS="-I/usr/include/kerberosv5"
export KRB5LIBS="/usr/lib/gss/mech_krb5.so -R/usr/lib/gss"
./configure --enable-transarc-paths \
--with-krb5=yes \
--enable-rxk5 \
--enable-debug \
--enable-namei-fileserver \
--enable-largefile-fileserver \
--host=sparc-sun-solaris2.10
You say below there are still issues with MIT kerberos. Solaris may
have these same issues, as it is based on MIT. I have not gotten
far enought to test yet.
The attached cvs diff file fixes these problems:
aklog_main.c code was changed, and did not support the HAVE_NO_KRB5_524
correctly. It appears that the -unwrap should also work with out the 524.
comerr/error_msg.c needs to include the add_error_table code, and should
use the HAVE_ADD_ERR_R_TABLE
While trying to build the rxk5 tests, the Sun compiler does not like
__FUNCTION__, so I replaced it.
The afsauthent.proto has a reference for xdr_rxk5_principal. This is
either not needed, or the xdr code is not being generated. To get it
to compile and link, I removed it.
src/util/assert.h defines assert as a statement. /usr/include/kerberos5/krb5.h
uses abort which cpp converts to assert but it is used as an expression. The
compiler, gives an error. The new assert can be used as an expression or
a statement.
== About rxk5 ==
Rxk5 is a new security mechanism for OpenAFS. It uses kerberos 5 tickets
and encryption algorithms straight, and includes support for all standard
kerberos 5 encryption types including AES256. The exact encryption type
used is decided by the kerberos kdc based on the key types stored in
kerberos, and the intersection of the key types supported by the kernel &
userland kerberos libraries on the client machine. Rxk5 service is
"per-cell"; all servers in a cell must be upgraded to support rxk5 before it
can be turned on. However, rxk5 enabled servers can continue to support
rxkad access, and rxk5 clients can use both rxk5 and rxkad to talk to
different cells. At authentication time, users can force the use of either
rxkad or rxk5, or let the software automatically choose rxk5 when the remote
kdc is willing to issue rxk5 tickets.
With the introduction of rxk5, kaserver is "deprecated" and no longer built
as a standard feature. aklog is augumented to support rxk5. A new version
of klog is provided which does kerberos 5 natively (earlier versions of this
have already appeared other branches of OpenAFS). The old version of klog
is still built by default but installed as "klog.ka", for use with cells
that choose to continue only supporting kaserver or kerberos 4.
rxk5 should build with recent versions of heimdal & MIT kerberos. Note that
some vendor releases of MIT kerberos do not necessarily export all symbols
needed by rxk5. You may need to acquire the latest vendor release or build
from source to get acceptable results. The rxk5 security mechanism proper
also includes experimental support for Shishi; sadly, use of this with
OpenAFS is problematic due to license conflicts.
rxk5 at this point should be considered "beta" quality - it should work, but
it has not yet received wide-spread testing & there are some remaining rough
edges that need improving. Rxk5 should work on all architectures, including
windows. rxk5 is an optional feature; if you do not enable it, your toes
will probably not rot off, at least not right away. Test reports from users
are welcome.
Other features in the rxk5 branch that aren't particularly rxk5-specific,
but happen to be here because the developers aren't as smart as you so
couldn't hack 64,000 different source branches: improved linux kernel
configuration (pulls configuration paramters out of the linux build
scripts), and "pts -localauth", which also makes it possible to more easily
initialize a pt database without using "pt_util" or "bos setauth". These
improvements are not conditioned by enabling rxk5.
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Index: src/aklog/aklog_main.c
===================================================================
RCS file: /cvs/openafs/src/aklog/aklog_main.c,v
retrieving revision 1.12.2.2.2.2
diff -u -r1.12.2.2.2.2 aklog_main.c
--- src/aklog/aklog_main.c 26 Sep 2007 16:34:17 -0000 1.12.2.2.2.2
+++ src/aklog/aklog_main.c 20 Dec 2007 15:47:17 -0000
@@ -740,11 +740,9 @@
* construct a encpart only 2b style ticket.
*/
-#ifndef HAVE_NO_KRB5_524
+/* if HAVE_NO_KRB5_524 defind, do524 will be DO524_NO or DO524_LOCAL */
+
if (do524 != DO524_YES) {
-#else
- {
-#endif
char *p;
int len;
@@ -791,8 +789,6 @@
memcpy(atoken.ticket, enc_part->data, atoken.ticketLen);
}
#ifndef HAVE_NO_KRB5_524
- }
-#else
} else {
CREDENTIALS cred;
@@ -828,6 +824,7 @@
atoken.ticketLen = cred.ticket_st.length;
memcpy(atoken.ticket, cred.ticket_st.dat, atoken.ticketLen);
#endif /* HAVE_NO_KRB5_524 */
+ }
if (!force &&
!ktc_GetToken(&aserver, &btoken, sizeof(btoken), &aclient) &&
@@ -1391,8 +1388,8 @@
fprintf(stderr, " -setpag set the AFS process authentication group.\n");
#ifndef HAVE_NO_KRB5_524
fprintf(stderr, " -524 means use the 524 converter instead of V5
directly\n");
- fprintf(stderr, " -unwrap means do the 524 conversion locally\n");
#endif
+ fprintf(stderr, " -unwrap means do the 524 conversion locally\n");
#ifdef AFS_RXK5
fprintf(stderr, " -k5 means do rxk5 (kernel uses V5 tickets)\n");
fprintf(stderr, " -k4 means do rxkad (kernel uses V4 or 2b tickets)\n");
@@ -1477,9 +1474,9 @@
#ifndef HAVE_NO_KRB5_524
else if (strcmp(argv[i], "-524") == 0)
do524 = DO524_YES;
+#endif
else if (strcmp(argv[i], "-unwrap") == 0)
do524 = DO524_LOCAL;
-#endif
#ifdef AFS_RXK5
else if (strcmp(argv[i], "-k4") == 0)
rxk5 = FORCE_RXKAD;
Index: src/comerr/error_msg.c
===================================================================
RCS file: /cvs/openafs/src/comerr/error_msg.c,v
retrieving revision 1.6.14.2
diff -u -r1.6.14.2 error_msg.c
--- src/comerr/error_msg.c 26 Sep 2007 16:34:28 -0000 1.6.14.2
+++ src/comerr/error_msg.c 20 Dec 2007 15:47:17 -0000
@@ -169,7 +169,7 @@
UNLOCK_ET_LIST;
}
-#if 0
+#ifndef HAVE_ADD_ERROR_TABLE
/*
* New interfaces provided by mit krb5's com_err library
*/
Index: src/rxk5/servconn.c
===================================================================
RCS file: /cvs/openafs/src/rxk5/Attic/servconn.c,v
retrieving revision 1.1.4.3
diff -u -r1.1.4.3 servconn.c
--- src/rxk5/servconn.c 26 Sep 2007 16:34:49 -0000 1.1.4.3
+++ src/rxk5/servconn.c 20 Dec 2007 15:47:19 -0000
@@ -584,7 +584,7 @@
#endif
Out:
- if (code) afs_com_err(__FUNCTION__, code, when);
+ if (code) afs_com_err(__FILE__||"k5_get_cred", code, when);
#ifdef USING_SHISHI
if (hint->server)
free(hint->server);
Index: src/shlibafsauthent/afsauthent.proto
===================================================================
RCS file: /cvs/openafs/src/shlibafsauthent/Attic/afsauthent.proto,v
retrieving revision 1.1.2.1
diff -u -r1.1.2.1 afsauthent.proto
--- src/shlibafsauthent/afsauthent.proto 26 Sep 2007 16:34:53 -0000
1.1.2.1
+++ src/shlibafsauthent/afsauthent.proto 20 Dec 2007 15:47:19 -0000
@@ -65,7 +65,6 @@
<rxk5>
initialize_RXK5_error_table
add_afs_token_rxk5
-xdr_rxk5_principal
<all>
free_afs_token
encode_afs_token
Index: src/util/assert.h
===================================================================
RCS file: /cvs/openafs/src/util/assert.h,v
retrieving revision 1.4
diff -u -r1.4 assert.h
--- src/util/assert.h 14 Jan 2003 00:46:48 -0000 1.4
+++ src/util/assert.h 20 Dec 2007 15:47:19 -0000
@@ -12,4 +12,4 @@
void AssertionFailed(char *file, int line);
-#define assert(ex) do{if (!(ex)) AssertionFailed(__FILE__, __LINE__);}while(0)
+#define assert(ex) (void)((ex)?0:(AssertionFailed(__FILE__, __LINE__),0))
