Date: Sat, 12 Nov 2005 10:42:42 +0000 From: Doug Rabson <dfr@nlsystems.com> To: arch@freebsd.org Subject: New extensible GSSAPI implementation Message-ID: <200511121042.42425.dfr@nlsystems.com>
index | next in thread | raw e-mail
For quite a while now (far too long in fact), I've been slowly working on an extension framework for GSS-API. This was partly prompted by an interest in NFSv4 which requires both LIPKEY [RFC2847] as well as Kerberosv5 as security providers. The existing FreeBSD GSS-API library comes from Heimdal and only provides Kerberosv5. It is also a necessary pre-requisite for an implementation of RPCSEC_GSS which I'm not quite ready to commit. The new GSS-API code acts as a plugin framework which can use any shared library GSS-API implementation that conforms to the C-bindings set out in RFC2744. I have changed the heimdal build process to build its GSS-API implementation as a plugin. I have not implemented any new GSS-API mechanisms. One clear advantage to this system is that the GSS-API framework itself is tiny (20k of code on i386) and includes no crypto code. It also has no dependencies so applications don't have to supply a random list of heimdal implementation details when they link with it. In an attempt to move us closer to the de-facto standard for GSS-API, I've moved the gssapi header file to /usr/include/gssapi. This is where it lives on every non-BSD system that I've looked at, including OS X. I have also included a complete set of manpages for the api with text culled from the RFC (markup by me - mandoc police take note). It is currently missing manpages for two new config files, /etc/gss/mech and /etc/gss/qop. You can read the Solaris manpages for these files at http://docs.sun.com/app/docs/doc/816-5174/6mbb98uh0?a=view. The patch is too large to post here but you can find it at http://people.freebsd.org/~dfr/gss-12112005.diff. It has survived limited buildworld testing on one architecture and limited testing on a newly install FreeBSD-current machine. I have not attempted to build any GSS-API using ports and I expect there to be problems in that area due to the moved header file and changed linking requirements. Any comments, feedback, patches welcome...home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511121042.42425.dfr>