How to update or should we update Kerberos

Benjamin Kaduk kaduk at mit.edu
Tue May 29 16:22:03 UTC 2018 

On Tue, May 29, 2018 at 06:04:23AM -0700, Cy Schubert wrote:
> In message <YTOPR0101MB095376A67E0BBB4A2961F4BBDD6D0 at YTOPR0101MB0953.CAN
> PRD01.P
> ROD.OUTLOOK.COM>, Rick Macklem writes:
> > Sean Bruno wrote:
> > [stuff snipped]
> > >Heh, yeah, I asked this question *wrong*.  I know how we use it in the
> > >cluster.  :-)
> > >
> > >I mean to ask, "why aren't we using ports for kerberos?"  What purpose
> > >does it serve in the base system?
> > Although I have no idea how many use it, both the NFS client and server can d
> > o
> > Kerberized mounts. I haven't tried, but it probably needs some bits to build 
> > it
> > and if you move it to ports, there would be duplicates (and the opportunity t
> > o
> > have one change without the other introducing a hard to find bug).
> >
> > Also, I'd argue that security technology like this is pretty "core".
> >
> > I am mainly referring to the libraries and client side stuff and not the KDC.
> 
> IMO the base should only contain the libraries and client side.

I'm inclined to agree -- running a KDC with the implementation in
the base system doesn't seem like a great plan to me.

To expand the NFS use case a bit more, NFS uses the GSS-API to
secure RPCs (only when security features are enabled, of course).
The GSS-API normally operates only with message tokens that are
opaque to the application layer, but for efficiency/speed we want to
do the bulk data processing in the kernel.  The traditional way to
do this is to have an implementation-specific extension to the
GSS-API that exposes a "lucid" (i.e., not opaque) structure with
information about a security context and its key material, and shove
that stuff into the kernel to use for per-message processing.  Since
this non-standard structure is implementation-specific, it's
generally expected that the kernel code is kept in sync with the
userspace code that does the actual security context
negotiation/handshake and the key export.  This basically requires
having it in the base system, AFAICT.

-Ben

More information about the freebsd-arch mailing list