New extensible GSSAPI implementation
From: Doug Rabson (dfr_at_nlsystems.com)
Date: 11/12/05
- Previous message: Poul-Henning Kamp: "Re: FreeBSD on embedded systems"
- Next in thread: Robert Watson: "Re: New extensible GSSAPI implementation"
- Reply: Robert Watson: "Re: New extensible GSSAPI implementation"
- Reply: Doug Rabson: "Re: New extensible GSSAPI implementation"
- Reply: Doug Rabson: "Re: New extensible GSSAPI implementation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: arch@freebsd.org Date: Sat, 12 Nov 2005 10:42:42 +0000
For quite a while now (far too long in fact), I've been slowly working
on an extension framework for GSS-API. This was partly prompted by an
interest in NFSv4 which requires both LIPKEY [RFC2847] as well as
Kerberosv5 as security providers. The existing FreeBSD GSS-API library
comes from Heimdal and only provides Kerberosv5. It is also a necessary
pre-requisite for an implementation of RPCSEC_GSS which I'm not quite
ready to commit.
The new GSS-API code acts as a plugin framework which can use any shared
library GSS-API implementation that conforms to the C-bindings set out
in RFC2744. I have changed the heimdal build process to build its
GSS-API implementation as a plugin. I have not implemented any new
GSS-API mechanisms.
One clear advantage to this system is that the GSS-API framework itself
is tiny (20k of code on i386) and includes no crypto code. It also has
no dependencies so applications don't have to supply a random list of
heimdal implementation details when they link with it.
In an attempt to move us closer to the de-facto standard for GSS-API,
I've moved the gssapi header file to /usr/include/gssapi. This is where
it lives on every non-BSD system that I've looked at, including OS X. I
have also included a complete set of manpages for the api with text
culled from the RFC (markup by me - mandoc police take note). It is
currently missing manpages for two new config files, /etc/gss/mech
and /etc/gss/qop. You can read the Solaris manpages for these files at
http://docs.sun.com/app/docs/doc/816-5174/6mbb98uh0?a=view.
The patch is too large to post here but you can find it at
http://people.freebsd.org/~dfr/gss-12112005.diff. It has survived
limited buildworld testing on one architecture and limited testing on a
newly install FreeBSD-current machine. I have not attempted to build
any GSS-API using ports and I expect there to be problems in that area
due to the moved header file and changed linking requirements.
Any comments, feedback, patches welcome...
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"
- Previous message: Poul-Henning Kamp: "Re: FreeBSD on embedded systems"
- Next in thread: Robert Watson: "Re: New extensible GSSAPI implementation"
- Reply: Robert Watson: "Re: New extensible GSSAPI implementation"
- Reply: Doug Rabson: "Re: New extensible GSSAPI implementation"
- Reply: Doug Rabson: "Re: New extensible GSSAPI implementation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
