Date: Sat, 12 Nov 2005 10:42:42 +0000 From: Doug Rabson <dfr@nlsystems.com> To: arch@freebsd.org Subject: New extensible GSSAPI implementation Message-ID: <200511121042.42425.dfr@nlsystems.com>
next in thread | raw e-mail | index | archive | help
For quite a while now (far too long in fact), I've been slowly working on an extension framework for GSS-API. This was partly prompted by an interest in NFSv4 which requires both LIPKEY [RFC2847] as well as Kerberosv5 as security providers. The existing FreeBSD GSS-API library comes from Heimdal and only provides Kerberosv5. It is also a necessary pre-requisite for an implementation of RPCSEC_GSS which I'm not quite ready to commit. The new GSS-API code acts as a plugin framework which can use any shared library GSS-API implementation that conforms to the C-bindings set out in RFC2744. I have changed the heimdal build process to build its GSS-API implementation as a plugin. I have not implemented any new GSS-API mechanisms. One clear advantage to this system is that the GSS-API framework itself is tiny (20k of code on i386) and includes no crypto code. It also has no dependencies so applications don't have to supply a random list of heimdal implementation details when they link with it. In an attempt to move us closer to the de-facto standard for GSS-API, I've moved the gssapi header file to /usr/include/gssapi. This is where it lives on every non-BSD system that I've looked at, including OS X. I have also included a complete set of manpages for the api with text culled from the RFC (markup by me - mandoc police take note). It is currently missing manpages for two new config files, /etc/gss/mech and /etc/gss/qop. You can read the Solaris manpages for these files at http://docs.sun.com/app/docs/doc/816-5174/6mbb98uh0?a=view. The patch is too large to post here but you can find it at http://people.freebsd.org/~dfr/gss-12112005.diff. It has survived limited buildworld testing on one architecture and limited testing on a newly install FreeBSD-current machine. I have not attempted to build any GSS-API using ports and I expect there to be problems in that area due to the moved header file and changed linking requirements. Any comments, feedback, patches welcome...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511121042.42425.dfr>