From owner-freebsd-arch@FreeBSD.ORG Sat Nov 12 10:42:58 2005 Return-Path: X-Original-To: arch@freebsd.org Delivered-To: freebsd-arch@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9B0216A41F for ; Sat, 12 Nov 2005 10:42:58 +0000 (GMT) (envelope-from dfr@nlsystems.com) Received: from itchy.rabson.org (mailgate.nlsystems.com [80.177.232.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2781443D46 for ; Sat, 12 Nov 2005 10:42:55 +0000 (GMT) (envelope-from dfr@nlsystems.com) Received: from herring.rabson.org (herring [10.0.0.2]) by itchy.rabson.org (8.13.3/8.13.3) with ESMTP id jACAghCf046522 for ; Sat, 12 Nov 2005 10:42:43 GMT (envelope-from dfr@nlsystems.com) From: Doug Rabson To: arch@freebsd.org Date: Sat, 12 Nov 2005 10:42:42 +0000 User-Agent: KMail/1.8.2 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200511121042.42425.dfr@nlsystems.com> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.6 (itchy.rabson.org [80.177.232.242]); Sat, 12 Nov 2005 10:42:43 +0000 (GMT) X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED autolearn=failed version=3.0.2 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on itchy.rabson.org X-Virus-Scanned: ClamAV 0.83/1169/Fri Nov 11 21:28:05 2005 on itchy.rabson.org X-Virus-Status: Clean Cc: Subject: New extensible GSSAPI implementation X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Nov 2005 10:42:59 -0000 For quite a while now (far too long in fact), I've been slowly working on an extension framework for GSS-API. This was partly prompted by an interest in NFSv4 which requires both LIPKEY [RFC2847] as well as Kerberosv5 as security providers. The existing FreeBSD GSS-API library comes from Heimdal and only provides Kerberosv5. It is also a necessary pre-requisite for an implementation of RPCSEC_GSS which I'm not quite ready to commit. The new GSS-API code acts as a plugin framework which can use any shared library GSS-API implementation that conforms to the C-bindings set out in RFC2744. I have changed the heimdal build process to build its GSS-API implementation as a plugin. I have not implemented any new GSS-API mechanisms. One clear advantage to this system is that the GSS-API framework itself is tiny (20k of code on i386) and includes no crypto code. It also has no dependencies so applications don't have to supply a random list of heimdal implementation details when they link with it. In an attempt to move us closer to the de-facto standard for GSS-API, I've moved the gssapi header file to /usr/include/gssapi. This is where it lives on every non-BSD system that I've looked at, including OS X. I have also included a complete set of manpages for the api with text culled from the RFC (markup by me - mandoc police take note). It is currently missing manpages for two new config files, /etc/gss/mech and /etc/gss/qop. You can read the Solaris manpages for these files at http://docs.sun.com/app/docs/doc/816-5174/6mbb98uh0?a=view. The patch is too large to post here but you can find it at http://people.freebsd.org/~dfr/gss-12112005.diff. It has survived limited buildworld testing on one architecture and limited testing on a newly install FreeBSD-current machine. I have not attempted to build any GSS-API using ports and I expect there to be problems in that area due to the moved header file and changed linking requirements. Any comments, feedback, patches welcome...