Portability, RPC and kerberos v5?

Wyllys Ingersoll wyllys.ingersoll at sun.com
Fri Oct 8 09:33:43 EDT 2004


Rob J Meijer wrote:

>I'm currently working on the design of an authorisation system. For authentication, making use of kerberos v5
>seems the most suitable. I need the processes make authenticated RPC requests to a set of authorisation and
>capability broking servers. The problem I am having is that my 2 main specs seem to give me a bit
>of a problem to combine:
>                                                                                                                                                                     
>* I need to use portable IPC/RPC (Solaris,Linux,*BSD,AIX,True64,OS-X,Win2000)
>* I need to use Kerberos v5 authentication.
>                                                                                                                                                                     
>I've seen that the Kerberos v4 authentication is seeminly quite wide spread in all Sun-RPC implementations,
>  
>

Kerberos V4 never worked correctly in any Solaris releases as far as I 
know.  Its not available after Solaris 7.
Solaris 8, 9, (and 10) only support Kerberos V5.   The secure RPC 
protocol used in Solaris is "RPCSEC-GSS"
and the security mechanism is Kerberos V5.

>and on my solaris system there apears to be some aditional authentication define that seems to give a hook
>to something called GSS, where in the header files there seems to be reference to kerberos v5, but as this
>define does not seem to be pressent in the rpc header files on either FreeBSD or Linux, I think this might
>not be quite portable.
>  
>
RPCSEC_GSS is an open standard, anyone can implement it if they want 
to.  I believe the team at
University of Michigan implemented RPCSEC_GSS for Linux but its not yet 
part of any standard
Linux distros.

>                                                                                                                                                                     
>Am I right? Or should I use sun-rpc with this gss stuf as defined in the rpc header files on solaris?
>It is not so important that the code I now use is portable, as it is that the communication is portable,
>if I need to use an other API on solaris than on Linux, BSD and yet an other on win2000, that would be an obsacle I
>could overcome. If however the Linux client library or the win2000 client library was unable to comunicate and
>authenticate to the authorisation server running on Solaris, this would be a problem.
>  
>

Well then, it seems you have a problem.   I don't think there is a 
single, standard, secure RPC protocol
that will work for Linux, BSD, Windows, and Solaris at this time.

If you take away your requirement to use "RPC",  then you could probably 
have better success. GSSAPI
is supported on all of the above mentioned platforms.  On Windows, use 
the SSPI programming interface,
it is wire-compatible with GSSAPI and interoperates with GSSAPI apps on 
Linux and Solaris.

>                                                                                                                                                                     
>Any pointers would be apriciated. I need portable kerberos 5 authenticated RPC that is portable between
>Solaris,Linux,*BSD,AIX,True64,OS-X and Win2000, am I looking in the right direction, or is this just plain
>not possible?
>  
>

Maybe not possible right now.

-Wyllys



More information about the Kerberos mailing list