(Illustration by Gaich Muramatsu)
On Tue, 2004-02-17 at 16:56, Greg Troxel wrote: > Another alternative is to replace the RPC2 N-S scheme with the use of > GSS-API wrapping, and then to use Kerberos. This would rely on > well-reviewed security protocols that are believed to be sound. While > Kerberos is non-trivial to set up, it isn't that much harder than > auth2. One would replace getting tokens with establishing a binding > at the server from a kerberos principal to a coda uid (by consulting > the equivalent of .klogin, probably in some authentication database, > or by the obvious 'gdt._at_IR.BBN.COM can be coda user gdt in the > ir.bbn.com coda realm' mapping. This binding setup would also > exchange the intiial GSS-API state, so that datagram wrapping could be > done on the rpc2 data. Unfortunately, the code has not been written > yet. > I have been working on adding GSS-API authentication to auth2 and clog - it uses GSS-API to authenticate and then wrap the coda tokens for the client who can unwrap them and use them. I haven't looked at what venus does with those tokens (in fact I don't really have a clue) but at least the authentication part is basically there. Any authorization code would be (gss) implementation specific but I don't think it would be too hard to add other authentication systems (I'm testing with kerberos and gsi). -M > > >Received on 2004-02-17 12:04:00