OPenAFS and OpenSSH replacing kafs

Douglas E. Engert deengert at anl.gov
Wed Mar 3 00:10:44 EST 2004



Nicolas Williams wrote:
> 
> Markus asks:
> 
> > if GSSAPI is the great generic security server API it claims
> > to be, then it can hide all this stuff from sshd.
> 
> Correct, the GSS-API has gaps, such as:
> 
>  - There's no way to make delegated GSS credentials available for
>    acquisition through GSS_Acquire_cred()/GSS_Add_cred().
> 
>    See:
> 
>    http://www.ietf.org/internet-drafts/draft-williams-gssapi-store-deleg-creds-00.txt


Also see: http://www.ietf.org/internet-drafts/draft-engert-ggf-gss-extensions-00.txt

which defines a gss_export_cred which handles exporting of the delegated cred,
and includes gss_inquire_sec_context_by_oid call and gss_inquire_cred_by_oid 
to address your inquiry problems. 

This draft was produced by the Global Grid Forum  http://www.ggf.org


> 
>    for a proposed solution which involves adding a function,
>    GSS_Store_cred(), for storing gss_cred_id_t's in the "current"
>    credentials store.  Manipulation of credential stores is left as
>    platform-specific, or for future extensions.
> 
>    The only objection I've had to this has been that GSS_Store_cred()
>    does not seem to allow for per-session credential stores, however I
>    do believe that PAM and GSS_Store_cred() could interact such that
>    this is not an issue.
> 
>    This is the biggest gap in the GSS-API.
> 
>  - There's no way to inquire a mechanism for its "features."  E.g.,
>    there's no way to know if a mechanism indicated by
>    GSS_Indicate_mechs() is SPNEGO or otherwise negotiates mechanisms,
>    which, as we know, must not be used in SSHv2.
> 
> Note that authorization is not, however, an area where the GSS-API has
> gaps, but it is an area which may be handled differently on different
> platforms -- a consideration for portable code.
> 
> Cheers,
> 
> Nico
> --
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444




More information about the openssh-unix-dev mailing list