rpcsec_gss and Kerberos 5
Ken Raeburn
raeburn at MIT.EDU
Fri May 31 17:24:01 EDT 2002
Rainer Orth <ro at TechFak.Uni-Bielefeld.DE> writes:
> Indeed. Besides, switching to RPCSEC_GSS instead of AUTH_GSSAPI would give
> interoperability with Sun's SEAM kadmind which used RPCSEC_GSS from the
> start.
Assuming we use a similar enough protocol definition on top of RPC.
The current MIT protocol has no ".x" file to feed to rpcgen, and in
fact I don't think it's easy to create one. For one thing, we have a
32-bit value we transmit as 8 bits in one place.... Mistakes like
that can be corrected when we're making such a significant
incompatible protocol change.
> Sun's TI-RPC implementation even allows for the registration of additional
> authentication flavors via svc_auth_reg(3NSL) (something older TS-RPC based
> implementations don't support), so it might even be possible to support
> both flavors in a single kadmind (at least on Solaris systems).
Maybe. I'm not sure if the way our gssrpc authentication works would
fit properly into the rpcsec model. It's something to look into.
More information about the krbdev
mailing list