[384] in Kerberos_V5_Development
Sun AUTH_KERB NFS scheme
jtkohl@ATHENA.MIT.EDU (jtkohl@ATHENA.MIT.EDU)
Mon Oct 29 14:35:38 1990
This is from Mark Stein, an engineer at Sun working on some
kerberos-related stuff. He said I could distribute it to krbdev.
Date: Mon, 29 Oct 90 11:00:38 PST
From: marks@Eng.Sun.COM (Mark Stein)
To: jtkohl@ATHENA.MIT.EDU
Subject: Re: Kerberized NFS becoming a product?
Cc: marks@Eng.Sun.COM
John,
Our "Kerberized NFS" implementation does not relate at all to the
Athena uid mapping scheme. It uses the "AUTH_KERB" RPC authentication
flavor to achieve Kerberos-authenticated NFS requests.
Basically, the scheme works like this: AUTH_KERB is modelled after
AUTH_DES in that there is an initial authentication handshake to
establish principal identities and pass a session DES key to be used
for subsequent RPC verification. Timestamps encrypted with the session
key are used for verifiers. A Kerberos ticket is used in the initial
handshake for AUTH_DES in place of the Diffie-Hellman key exchange used
in AUTH_DES. Kerberos interactions are handled by the RPC library
transparently. Ticket expiration times are associated with the RPC
credential and are enforced.
NFS uses AUTH_KERB if that mode of authentication is selected by option.
(In addition, we are working on the mount protocol to allow the server to
tell the client what mode of authentication to use.) So that lots of
kerberos-specific code does not need to be ported to the kernel, the kernel
AUTH_KERB RPC code talks to a user daemon which handles generation and
verification of tickets. This step is only required on the initial
handshake. Kernel DES code handles the subsequent verifications.
Several issues concern me at the moment:
1) Effect of NFS ticket timeouts on users. (New service tickets are
obtained transparently if a valid TGT is present.) I am looking
at how V5 renewable tickets can help here.
2) Will V5 tickets be able to replace V4 tickets in the request and
be handled transparently by a server AUTH_KERB which has been
linked with V5 kerberos libraries? Maybe you can help me out on
this one...
Interoperability is a big concern for us. I am in the process of dealing
with our legal people to work out how we can make early code available
to outsiders for test and feedback. Once we feel confident that it is
solid, we will be releasing AUTH_KERB as part of the freely licensed RPC
source, and the kernel implementation as part of the licensed NFS source
product from Sun.
Are you interested in doing anything with the AUTH_KERB version of Kerberized
NFS?
BTW, I got the V5 code up and running last week and am in the process of
getting more familiar with that's going on in it. I'll be giving you some
feedback in the next week or two.
--Mark
