[1168] in linux-security and linux-alert archive
[linux-security] Re: GSSAPI for Linux (follow up..)
daemon@ATHENA.MIT.EDU (Andrew G. Morgan)
Thu Sep 19 15:58:20 1996
From: "Andrew G. Morgan" <morgan@parc.power.net>
To: linux-security@tarsier.cv.nrao.edu (Linux Security)
Date: Thu, 19 Sep 1996 11:00:49 -0700 (PDT)
Cc: jvc@la.tis.com
I emailed a question about GSSAPI [General Security Services
Application Program Interface] a week or two ago. Prompted by a
request from Jeff Cook, it seemed like a good idea to make a follow up
posting...
A number of people [Jeff Cook, Isaac Hollander, Jared Mauch, Martin
v.Loewis, Manoj V S Kasichainula, Eric M. Boyd and Dhaval M Shah (if I
missed you out, please email me again, I must have lost your email :(
] responded with some relevant comments.
Background:
----------
For the uninitiated, GSSAPI is an attempt to define a standard for
the use of off-the-shelf security service implementations by general
applications.
>From my reading of the two relevant rfc's [Which I have collected for
convenience at
http://parc.power.net/morgan/Linux-GSS/index.html
], the basic idea of GSS a generic set of calls that will provide for
a secure exchange of information between remote computers over
otherwise insecure channels.
To be GSSAPI compliant, a security service must provide the gss_xxx
calls documented in the rfc's. Similarly to take advantage of such
generic services, an application blindly calls these functions to
secure its data.
Information:
------------
>From the various emails I received, it has become clear that there is
a reasonably complete implementation of GSSAPI for Kerberos 5 [
http://web.mit.edu/krb5/www/kerberos.html
ftp://athena-dist.mit.edu/pub/ATHENA/kerberos
]. Also there is a JAVA-based, front end to the kerberos
implementation can be found at,
http://choices.cs.uiuc.edu/Security/JGSS/jgss.html
In addition, there is an ILU implementation [
ftp://ftp.parc.xerox.com/pub/ilu/ilu.html
ftp://ftp.parc.xerox.com/pub/ilu
]
Of course, Kerberos is only available within the US.
Outside the US, there is a ~90% pure JAVA implementation being pursued
by Dhaval M. Shah, of the University of Wollongong, Australia.
Discussion:
-----------
The point of my question, was to find out how flexible the GSSAPI is
and to what extent implementations are freely available throughout the
world.
Basically, I have found that outside the US, there are no finished
implementations of it available for free, and Kerberos, being written
within the US is export restricted. So there is not much in the way of
global availability.
Jeff Cook did point me at the following URL:
http://www.tis.com/crypto/ice.html
, which looks interesting, and seems (at a first glance) to be more
along the lines of the thoughts I was having when I posed my original
question.
Finally, what I had in mind when I posted before was an idea of
developing a "pluggable" implementation of the GSSAPI that works like
PAM. That is to say, the implementation is really a library that loads
independently provided "modules" that perform the digital
signatures/encryption etc. services. PAM has shown that this is both a
viable and flexible method of dealing with authentication services, so
I got to thinking about other types of security service.
My motivation is to develop a globally available interface for
security services, free of export restrictions and commercial licenses,
that will encourage applications developers to start offering some
security to their users. [Since the library I am proposing to build
will have no encryption in it, it should be free of export
restrictions...] I'd also like to produce a digital signature module
that will offer people the peace of mind that no-one is going to
hijack their telnet session etc.. This would be useful even in
countries where the use of encryption is forbidden by law.
I am still interested in doing this, but perhaps GSSAPI is not
sufficiently general...?
I welcome your comments.
Andrew
morgan@parc.power.net