[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal and r* client programs

Balazs GAL wrote:
> 2002-08-13, k keltezéssel Tillman Hodgson ezt írta:
> > Obviously I have a kerberos 5 ticket, though I don't have a v4 one. Is
> > auth.conf only for v4?
> E.g if You use ssh ticket forwardind and my heimdal port of Nalin's
> pam_krb5, then You can convert the forwarded krb5 tgt to krb4 and afs
> tokens too. (http://www.rit.bme.hu/~balsa/pam_krb5)

Let me jump in with a plug for the gssklog, as it is intended to work
with K5 via GSSAPI to get an AFS token. (I am working on the PAM exit.)

We are current using the MIT krb524 code, and a modified aklog. But want
to get ride of them. 

One of the problems, we are trying to address, is the elimination
of K4 as much as possible. This means the KDC does not support K4 there
is no krb524 daemon and no K4 tickets are ever cached. The only K4 code 
left is in handling the AFS token and this is taken from OpenAFS. 

A W2K domain controller or DCE secd which don't support K4 can then be used. 
(I know they still could with the krb524, and we are doing that today.)  

Eliminating the krb524 also will allow us to eliminate a lot of Kerberos
specific code as well.  

The gssklog helps accomplish this, in that it authenticates to the gssklogd
using GSSAPI. It then returns an AFS token, not a full K4 ticket. It is 
protected (encrypted) by gss_wrap, not encrypted in the user's key or the TGT key.
The gssklog client does not directly do any decryption. 
There is no MIT or Hiemdal Kerberos source code in the gssklog, just excepts
of the OpenAFS code which handles the token. There is MIT MIT or Hiemdal
code in the GSSAPI libraries, but we would like to use other GSSAPIs as well,
both Kerberos and others. (Martin Rex's GSSAPI over SSPI, The Globus GSI which
is X509 and SSL based. Both of which don't use MIT or Hiemdal.) 

When the OpenAFS developers convert the AFS token from being based on K4 to K5,
we will change the gssklog as needed. We still want to authenticate to AFS using
other GSSAPIs other then Kerberos.      


> balsa


 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444