Using GSS-API in Linux kernel

Marcus Watts mdw at umich.edu
Mon Mar 18 05:28:33 EST 2002


"noam rinetzky" <noamrinetzky at hotmail.com> writes:
...
> I'm writing a network application in which clients and servers run inside=
> =20
> Linux Kernel. It requires authentication and message integrity. I was=20
> thinking of using Kerberos for authentication and getting the security=20
> services by using gssapi. However It looks like the implementation of gss=
> api=20
> seems to use "user-land" library and headers such as errno, malloc etc.
> 
> I was wondering if anyone knows if it is possible to use gssapi inside th=
> e=20
> kernel, and what is required in order to do so.
...

I wouldn't recommend using MIT's gssapi library in the kernel.
Even more important: avoid using the MIT K5 rpc-on-gssapi stuff,
as it has design and methodology problems.

CITI at the University of Michigan has put some work into gssapi,
kerberos, and the kernel, for NFS v4 and such like.  I think I'd
start by talking to them and seeing what they have.  Try mailing:
	andros at umich.edu
	honey at umich.edu
I see someone else has already posted a link pointing to their web
page on this.

Personally, I think you'd be better off avoiding the use
of gssapi unless you have some sort religious reason to use it,
or you intend to support smart cards and other things, so
can actually make use of the flexibility gssapi offers.
I think most of the reasons you might want to use gssapi are
probably also good reasons why you would want to use whatever
it is that you are doing in userland.

				-Marcus Watts
				UM ITCS Umich Systems Group



More information about the Kerberos mailing list