kerberos custom credential cache
J. Bruce Fields
bfields at fieldses.org
Tue Sep 26 19:46:30 EDT 2006
On Tue, Sep 26, 2006 at 12:08:47PM -0500, wrote:
> Hmm.. Thats a problem with my cache type. I suppose I can work around
> it for now, but is there anything being thought of that can provide
> more granular access? Perhaps something like the AFS PAG?
Yes, we've been working on something like that for a while, but it's
hard to predict when it will be ready. It's turned out to be more
difficult than expected!
> >> Also, our site uses aes256 keys for everything, so I would like to
> >> investigate what might be needed to support encryption types other
> >> than single des, specifically types 16-18. Has anyone looked into
> >> this?
> >
> >Yes, I'm working on it right now, but it may take some time.
>
> Is there anything I can do to assist the effort?
My first draft of the triple-DES support is here:
http://linux-nfs.org/cgi-bin/gitweb.cgi?p=bfields-2.6.git;a=shortlog;h=des3-support
(I realize triple DES isn't the most desired; it was just easy to get
started on. Probably I should have gone ahead with AES first
instead....)
We need to finish that and work on more algorithms. That means:
- digesting the relevant kerberos rfc's
- getting the kernel<->gssd interface right. I think it's
almost there, but I'm still a little confused about how to identify
encryption types.
- writing kernel code to handle the data exchange for the
various algorithms.
I'll try to post some design notes to the wiki as I go along to help
anyone that wants to contribute.
Information about which enctypes in particular people care about is
useful.
--b.
More information about the NFSv4
mailing list