On Wed, Dec 16, 2009 at 10:47:27AM +0000, Chris Ridd wrote:
> On 15 Dec 2009, at 19:40, Nicolas Williams wrote:
> > Customer need for SCRAM is certainly a potential driver for funding.
>
> Alternatively, is there a community opportunity here? I do work with
> one of the RFC's other authors (Alexey) who also has commit access to
> Cyrus SASL. I've no idea what might be involved in the Solaris SASL
> resync.
I've an enormous stack of "community opportunity" items to work on.
This one is on it. But I've only so many hours to dedicate to any one
task, and some are ones I actually get paid to do... The same is true
of all other engineers that I could rope into implementing SCRAM :(
> > (Note that there's two ways to implement SCRAM: either as a pure SASL
> > mechanism, or as a GSS-API mechanism accessed as a SASL one via the
> > "GS2" mechanism bridge [draft-ietf-sasl-gs2]. The latter is probably
> > more desirable for Solaris, since it's more generic.)
>
> Interesting. I don't know what the implications of having two
> mechanisms might be for clients/applications.
- you could use ftp with SCRAM
- you could use ssh with SCRAM
- you could use secure NFS with SCRAM
One would need a command by which to create SCRAM credentials files
(think of the SCRAM equivalent of krb5 ccaches) containing {server name,
user ID, password} or else changes to provide a prompting system that
can execute even from the secure NFS gssd daemon.
Nico
--
