OPenAFS and OpenSSH replacing kafs
Nicolas Williams
Nicolas.Williams at sun.com
Tue Mar 2 09:11:53 EST 2004
Markus asks:
> if GSSAPI is the great generic security server API it claims
> to be, then it can hide all this stuff from sshd.
Correct, the GSS-API has gaps, such as:
- There's no way to make delegated GSS credentials available for
acquisition through GSS_Acquire_cred()/GSS_Add_cred().
See:
http://www.ietf.org/internet-drafts/draft-williams-gssapi-store-deleg-creds-00.txt
for a proposed solution which involves adding a function,
GSS_Store_cred(), for storing gss_cred_id_t's in the "current"
credentials store. Manipulation of credential stores is left as
platform-specific, or for future extensions.
The only objection I've had to this has been that GSS_Store_cred()
does not seem to allow for per-session credential stores, however I
do believe that PAM and GSS_Store_cred() could interact such that
this is not an issue.
This is the biggest gap in the GSS-API.
- There's no way to inquire a mechanism for its "features." E.g.,
there's no way to know if a mechanism indicated by
GSS_Indicate_mechs() is SPNEGO or otherwise negotiates mechanisms,
which, as we know, must not be used in SSHv2.
Note that authorization is not, however, an area where the GSS-API has
gaps, but it is an area which may be handled differently on different
platforms -- a consideration for portable code.
Cheers,
Nico
--
More information about the openssh-unix-dev
mailing list