Interesting... will take a look, does sounds promising particular for integration with NT...
Yucky tar file though that extracts into src/*... But that's just cosmetic. :) -- Nathan > -----Original Message----- > From: Douglas E. Engert [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 10, 2001 10:19 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: [OpenAFS] Separating AFS tokens generation from > Authentication > > > AFS authentication and authorization have been based on Kerberos V4. > When used with Kerberos V5,either the KDC must issue a K4 ticket, > or a krb524d is required to convert V5 tickets to V4 tickets so they > can be used for AFS tokens. > > We would like to separate the method used for authentication from the > generation/use of the AFS tokens. > > As part of the Globus Project(tm), http://www.globus.org we > working on an > alternate solution, which allows other authentication methods > to be used to > obtain AFS tokens. > > This is accomplished by using GSSAPI from the client, > gsiklog, to authenticate > to a daemon, gsiklogd, running on one or more of the AFS > database server > machines. A request is then sent protected by the GSS to the > daemon, who > returns an AFS token, also protected by the GSS. The daemon > used the gss_inquire > functions to get the client's identity, and lifetime, and > used these to construct > an AFS token, using a simple mapping database which maps GSS > identities to AFS users. > > Since the token is sent using the GSS wrap/unwrap, it is not > encrypted is > a Kerberos tgt session key. This completely separates the > authentication from > the token generation, and in our case the GSSAPI is based on SSL. > > The gsiklog is a modified klog based on OpenAFS, and the > gsiklogd is a modified > gss demo program which calls routines based on OpenAFS to > generate tokens. You > will need the Transarc or OpenAFS libs and includes and a > GSSAPI implementation. > > The gsiklog and gsiklog could also be used with the Kerberos > GSSAPI. Doing this > means you don't need a KDC which understands V4, or a > krb524d. It also means that > one could use stronger keys for authentication with Kerberos > V5, yet still > use the DES keys with the tokens, or even update the keys in > the tokens, separate > from the authentication. It also means that future tokens are > not required to be > based on V4 or V5 tickets, but could use some other format. > > If anyone is interested a beta version of this is available at: > ftp://achilles.ctd.anl.gov/pub/DEE/gsiklog-0.9.tar > > Comments? > > > > > > > > > > > > -- > > Douglas E. Engert <[EMAIL PROTECTED]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > _______________________________________________ > OpenAFS-info mailing list > [EMAIL PROTECTED] > https://lists.openafs.org/mailman/listinfo/openafs-info > _______________________________________________ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
