[14649] in Kerberos
Re: Kerberized NFS Linux client?
daemon@ATHENA.MIT.EDU (Rainer Orth)
Tue Jul 10 16:31:53 2001
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: rk21@gre.ac.uk, kerberos@MIT.EDU
Mime-Version: 1.0 (generated by tm-edit 7.106)
Content-Type: text/plain; charset=US-ASCII
From: Rainer Orth <ro@TechFak.Uni-Bielefeld.DE>
Date: 10 Jul 2001 22:29:07 +0200
In-Reply-To: Ken Hornstein's message of "Tue, 10 Jul 2001 14:59:35 -0400"
Message-ID: <yddhewk4jfw.fsf@xayide.TechFak.Uni-Bielefeld.DE>
Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
> - You need to get a standardized RPCSEC_GSS implementation. The one that
> comes with MIT Kerberos is _not_ such a thing. I believe Sun has a
> reference implementation that could be used, but I forget where that's
> located.
In fact, this is pretty hard to find ;-( There's a link on
http://soldc.sun.com/tools/
> - You'd need to port that to work with a freely available GSSAPI implementation
> (such as Heimdal or MIT Kerberos) and to your target OS. Probably not
> a lot of work.
Indeed, especially if you start from MIT Kerberos: the mechanism plug-in
code there has been contributed by Sun and is most likely (though I haven't
really checked) `almost there' to allow plugging it into Sun's RPCSEC_GSS
implementation.
> - You'd need to modify the NFS client on the Linux box to _use_ this
> RPCSEC_GSS implementation. If it all happens in the kernel, you'll
> either need to cram all of Kerberos 5/GSSAPI into the kernel, or
> create a callout interface (which is how Sun's implementation works,
> IIRC).
This part is already available in the CITI NFS V4 implementation: it `just'
needs to be adapted to the NFS V2/V3 client code.
> - You'll need to create some way to make the user client credentials
> available to the NFS client implementation.
Just reuse the gssd from CITI NFS V4.
> None of this is _hard_ (for some definition of hard), but it's still
> a significant amount of work.
Indeed, and given the complete current lack of any non-Sun implementation
of any non-AUTH_UNIX RPC authentication flavor, nobody was really
interested until now, neither commercial vendors nor the free software
community (maybe with the exception of AUTH_KRB4 for *BSD).
I hope this will finally change with the mandatory inclusion of
RPCSEC_GSS/Kerberos V5 in NFS V4, but I wouldn't hold my breath.
Rainer
--
-----------------------------------------------------------------------------
Rainer Orth, Faculty of Technology, Bielefeld University
Email: ro@TechFak.Uni-Bielefeld.DE
