Globus/GSI versus Kerberos

Douglas E. Engert deengert at anl.gov
Thu Jul 7 11:51:02 EDT 2005



Tim Warnock wrote:

> 
> I was curious if anyone has any comments (personal/political/technical) 
> or could point me to a decent resource comparing Globus versus 
> Kerberos.  I've had to work with Globus quite a bit, and the overall 
> trend in the existing GSI-based research grids is to move towards 
> centrally managed cert/key repositories despite the pure GSI notion of 
> keeping everything distributed.  There's a handful of new research 
> projects that basically take GSI and add that "centralized" portion, 
> although in my opinion it's starting to resemble a Kerberos 
> architecture.  In my case, in effort to get Globus actually working for 
> our users, we had to create a similar "centralized" architecture (see 
> gridauth.com), this ended up purposely abstracting Globus. It's 
> abstracted in such a way we could easily drop Globus (GSI-based CA) and 
> replace it with Kerberos or even a simple password hash scheme.  For our 
> users needs this would be perfectly suitable (and transparent), except 
> politically it would raise hell.
> 
> I know a lot of work has gone into building the bridge between Kerberos 
> and GSI, but in this case it's more a matter of utilizing a secure 
> authentication mechanism that's easiest to manage centrally (to the 
> users and developers it's all abstracted behind RESTful web services). 
> Any thoughts or advice would be appreciated, technical papers or 
> security reports comparing the two systems would be great as well.
> 

Here are some personal as well as technical comments. But I wil try and
stay away from an thing political.

I wrote the original GSSAPI part of GSI version 1.0.x, but have not been
active in the Globus project for a number of years and have not kept up
with what was going on in versions 3 and above. I am still very active in
the Kerberos community.

There have been (and maybe) some sites using the Kerberos GSSAPI with
Globus. But this was early on, and I have not talked to them on
what they are doing today.

A main differences between GSI and Kerberos is that the credentials
are symmetric in GSI (both sides use X509 certificates and keys
and the GSI in effect uses the SSL/TLS protocols), but in Kerberos they
are usually asymmetric, (the client uses a ticket, the server a keytab.)
Globus does a lot of user-to-user authentication, where user processes are
started on a machine, and act as servers to other processes on
other machines usually started by the same user. They authenticate between
each other, using "user-to-user". Kerberos has this concept as well, where a
server can be using a ticket. But the Kerberos GSSAPI does not support this.
There was a IETF draft from 2001:
    "draft-swift-win2k-krb-user2user-03.txt"
based on Microsoft's implementation that is used with SSPI. There
are also mods available for MIT krb5-1.3.x to add this support.

Another difference is the GGF defined some extensions to gssapi
that addressed some needs of Globus from a GSSAPI.  For example, Storing
of the delegated credentials, delegation at any time, access to additional
information in the credentials and setting of additional options. Early
versions of Globus where careful to test if these where available in the
gssapi mech being used. I am not sure about testing with current versions.
The  IETF Kitten group is aware of this document which was published as an
IETF informational draft:
   "draft-engert-ggf-gss-extensions-01.txt"
A more up to date version can be found at:
  http://www-fp.globus.org/security/standards/draft-ggf-gss-extensions-09.doc
The user-2-user mods for krb5-1.3.x also had a few of these extensions as
well.

There is also a mech_glue to allow a server like sshd to use either the
Kerberos or GSI gssapi. But note that sshd does not need any of the gss
extensions :
  http://grid.ncsa.uiuc.edu/gssapi-mechglue/

If you to contact me, I can try and put you in touch with some of the
sites that are/have used Kerberos with Globus. You may also want to ask
your questions on the <discuss at globus.org> mail list.


-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list