On 3/3/2010 3:32 PM, Andrew Deason wrote: > On Wed, 3 Mar 2010 18:36:25 +0000 > Simon Wilkinson <[email protected]> wrote: > >> On 3 Mar 2010, at 18:28, Russ Allbery wrote: >> >>> Why wouldn't klog.krb5 be applicable to rxgk, at least in the >>> abstract (doing the work is another matter)? It's just the >>> combination of a kinit and aklog without storing the credentials in >>> the file system. It should be usable with any Kerberos-based >>> authentication mechanism. >> >> Because rxgk doesn't care what GSSAPI mechanism is being used to get >> the initial credentials. The tools that AFS provides assume that a set >> of credentials are available (from Kerberos, from GSI, from a local >> smart card ...), and simply does GSSAPI calls from then on. > > I'm not familiar with this area of the code at all, but are you saying > you cannot acquire krb5 creds within an application, and (through some > GSS hoops) pass it on to rxgk? That we must have a ticket cache (e.g. > pointed to by KRB5CCNAME) available? > > I believe I am just misunderstanding you, but that is what I am hearing.
rxgk is not Kerberos based. Kerberos happens to be one of the authentication mechanisms that can be used via a GSSAPI mechanism to produce rxgk tokens. The others that will be available will include the GSI GSSAPI mechanism which will permit direct use of x.509 certificates for obtaining rxgk tokens and SCRAM which is a password based GSSAPI mechanism. As with any Kerberos based GSSAPI mechanism there needs to be a credential cache. Even klog.krb5 uses a credential cache. It just destroys the contents of the cache it creates after it is finished. The difference is that klog.krb5 is capable of directly requesting the afs[/<cell>]@<REALM> service ticket and does not need to first obtain a TGT. When the GSSAPI krb5 mechanism is used, a TGT is always required. The GSSAPI, being mechanism agnostic, does not provide a method to obtain initial credentials. Returning to a point that Russ made earlier. He stated that 95% of users will be using Kerberos v5 for authentication. That is certainly true today. However, I do not expect mobile phones for example to be authenticating with Kerberos. I expect they will use the built in x.509 certificates. Once rxgk is widely available we may see a very significant change in the common usage pattern. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
