rpcsec_gss and Kerberos 5

Derek Atkins warlord at MIT.EDU
Mon Jun 3 09:29:01 EDT 2002

When I was working with the RPCSEC_GSS code at Sun (back in '95-96) we
didn't even use a .x file -- we hand-generated the XDR parsers and
unparsers.  This was due to the fact that we wanted to do things that
rpcgen did not support.

Things may have changed in the intervening years.


Rainer Orth <ro at TechFak.Uni-Bielefeld.DE> writes:

> Ken Raeburn <raeburn at MIT.EDU> writes:
> > Rainer Orth <ro at TechFak.Uni-Bielefeld.DE> writes:
> > > Indeed.  Besides, switching to RPCSEC_GSS instead of AUTH_GSSAPI would give
> > > interoperability with Sun's SEAM kadmind which used RPCSEC_GSS from the
> > > start.
> > 
> > Assuming we use a similar enough protocol definition on top of RPC.
> > The current MIT protocol has no ".x" file to feed to rpcgen, and in
> > fact I don't think it's easy to create one.  For one thing, we have a
> > 32-bit value we transmit as 8 bits in one place....  Mistakes like
> > that can be corrected when we're making such a significant
> > incompatible protocol change.
> Since a couple of Sun employees are watching (and posting to) this list,
> they might be able to get you a copy of the .x file used in their
> implementation.  Unfortunately, the Sun SEAM sources are not yet publicly
> available (not even to licensees of the full Solaris 8 sources), though
> that might change when the Solaris 9 sources hit the streets (if they ever
> do).
> > > Sun's TI-RPC implementation even allows for the registration of additional
> > > authentication flavors via svc_auth_reg(3NSL) (something older TS-RPC based
> > > implementations don't support), so it might even be possible to support
> > > both flavors in a single kadmind (at least on Solaris systems).
> > 
> > Maybe.  I'm not sure if the way our gssrpc authentication works would
> > fit properly into the rpcsec model.  It's something to look into.
> It doesn't need to fit: this function allows you to register a completely
> different authentication flavor (parallel to AUTH_SYS, AUTH_DH, etc.), not
> just a different GSSAPI mechanism.
> 	Rainer
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krbdev

       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

More information about the krbdev mailing list