AFS authentication and authorization have been based on Kerberos V4. When used with Kerberos V5,either the KDC must issue a K4 ticket, or a krb524d is required to convert V5 tickets to V4 tickets so they can be used for AFS tokens.
We would like to separate the method used for authentication from the generation/use of the AFS tokens. As part of the Globus Project(tm), http://www.globus.org we working on an alternate solution, which allows other authentication methods to be used to obtain AFS tokens. This is accomplished by using GSSAPI from the client, gsiklog, to authenticate to a daemon, gsiklogd, running on one or more of the AFS database server machines. A request is then sent protected by the GSS to the daemon, who returns an AFS token, also protected by the GSS. The daemon used the gss_inquire functions to get the client's identity, and lifetime, and used these to construct an AFS token, using a simple mapping database which maps GSS identities to AFS users. Since the token is sent using the GSS wrap/unwrap, it is not encrypted is a Kerberos tgt session key. This completely separates the authentication from the token generation, and in our case the GSSAPI is based on SSL. The gsiklog is a modified klog based on OpenAFS, and the gsiklogd is a modified gss demo program which calls routines based on OpenAFS to generate tokens. You will need the Transarc or OpenAFS libs and includes and a GSSAPI implementation. The gsiklog and gsiklog could also be used with the Kerberos GSSAPI. Doing this means you don't need a KDC which understands V4, or a krb524d. It also means that one could use stronger keys for authentication with Kerberos V5, yet still use the DES keys with the tokens, or even update the keys in the tokens, separate from the authentication. It also means that future tokens are not required to be based on V4 or V5 tickets, but could use some other format. If anyone is interested a beta version of this is available at: ftp://achilles.ctd.anl.gov/pub/DEE/gsiklog-0.9.tar Comments? -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
